Cisco 1921 Static NAT Problem (Remote Access)

pszewczyk2 · ‎08-22-2012

Hi there,

I have a strange problem with cisco 1921 static NAT. Part of staticly natted hosts are able to be aceesed from WAN and other aren't. For hosts like PC's remote access works (remote desktop) but for IP cameras or PBX it doesn't. All devices are properly configured with static adresses in network 192.168.1.0 and are fully accessed from LAN. I'm changing old linksys RV 042 router for Cisco 1921. With previous router all one-to-one nat translations worked. With new 1921 I get problems. Could you help me with it? This is my config:

Building configuration...

Current configuration : 4528 bytes

!

! Last configuration change at 11:06:59 PCTime Wed Aug 22 2012

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXX_ROUTER

!

boot-start-marker

boot-end-marker

!

enable secret 4 kB/dVo2CJav1cnVAC1x4uvuUsXYvtYTifXj5JrDOhqk

!

no aaa new-model

!

clock timezone PCTime 1 0

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

no ipv6 cef

ip source-route

!

ip dhcp excluded-address 192.168.1.1 192.168.1.50

ip dhcp excluded-address 192.168.1.100 192.168.1.254

!

ip dhcp pool XXX_OFFICE_DHCP

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 8.8.8.8

!

no ip domain lookup

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1285045188

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1285045188

revocation-check none

rsakeypair TP-self-signed-1285045188

!

crypto pki certificate chain TP-self-signed-1285045188

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31323835 30343531 3838301E 170D3132 30383232 30383433

33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383530

34353138 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C046 646AA9E8 1D16FCFD 19F0BF18 D4F23813 889A9E22 F281190D 35A8A1D9

8F4DF647 A50480D4 E451675D CCAF90AE DA6BC3FB 16148F15 43BEE9B9 A3E9373A

272D5C47 A2D5F235 D087E406 373F8246 BB431317 2AC65810 389AB25E AA56613A

CBA64710 5910D095 324223DC 58021AE1 F8CE7E08 957211D5 F9DFF5F8 0CE9DE97

EE930203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 140651B2 DEF031E4 AB300E91 7E9E590B 8CF593BB B2301D06

03551D0E 04160414 0651B2DE F031E4AB 300E917E 9E590B8C F593BBB2 300D0609

2A864886 F70D0101 05050003 81810071 10XXXX0 790D35FC 43897811 2DB68F35

AE5FB19F 3A2FF851 4A114906 9F2C0F58 B604F01D B1033362 74E405C3 273C99A5

E3F44397 78E5FCBE 5000DA42 FD66E46E 11239A13 D4B0D756 E312F152 F6EDE421

932D3F83 2A085C18 A91CA27B C603CFAF 331698FD 00B5D369 38243B71 A682BE13

2DD20FB3 4D619043 F30879C4 01D8F1

quit

license udi pid CISCO1921/K9 sn XXXXXXXXXXX

!

username admin privilege 15 password 0 XXXXXXXXXXXXXXXXXXXXXXX

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description NETIA_WAN

ip address 77.252.XXX.XXZ 255.255.255.192

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.99

encapsulation dot1Q 99

ip address 192.168.99.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/0/0

no ip address

!

interface FastEthernet0/0/1

no ip address

!

interface FastEthernet0/0/2

no ip address

!

interface FastEthernet0/0/3

no ip address

!

interface Vlan1

no ip address

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list INTERNET interface GigabitEthernet0/0 overload

ip nat inside source static 192.168.1.2 77.252.XXX.XXA

ip nat inside source static 192.168.1.195 77.252.XXX.XXB

ip nat inside source static 192.168.1.3 77.252.XXX.XXC

ip nat inside source static 192.168.1.4 77.252.XXX.XXD

ip nat inside source static 192.168.1.229 77.252.XXX.XXE

ip nat inside source static 192.168.1.187 77.252.XXX.XXF

ip nat inside source static 192.168.1.205 77.252.XXX.XXG

ip nat inside source static 192.168.1.240 77.252.XXX.XXH

ip route 0.0.0.0 0.0.0.0 77.252.XXX.XXX

!

ip access-list standard INTERNET

permit any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Alessio Andreoli · ‎08-22-2012

Hi Piotr,

try to better define the ACL. At the moment you are combining overloading with static NAT for the same subnet. you should separate these ip spaces

Alessio

Update : 5 points to you then

pszewczyk2 · ‎08-22-2012

Thanks Alessio for your suggestion. I did it but without proper result. I think I found the issue. I added two lines to running config:

ip nat translation tcp-timeout 600

ip nat translation udp-timeout 600

I'm on CCNA level so I'm not able to explain why after adding these two lines to the config, static nat started to work properly for all hosts. Even if static nat is combined with overlaping subnet. Maybe in NAT translations table I had old dynamic translations created before static nat configuration.