Re: NAT port forwarding not working (WAN, NAT, VLAN, WWW interna

Koblensky · ‎04-13-2010

Hi All,

i've been struggling a little bit with internal services (as WWW) to be accessible from my external public ip address. I've remved firewall and particular configuration and left "only" nat, i'm interested in let 10.0.102.8: 80 to be accessible with MY.PUBLIC.IP.43

and from a first debug you can see that i get a NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80), is that a problem ?

blackDevil#ter mon

blackDevil#

*Apr 13 15:31:25.369: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [23023]

*Apr 13 15:31:26.525: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:31:31.625: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [3337]

*Apr 13 15:31:32.217: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [53004]

*Apr 13 15:31:34.621: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [3338]

*Apr 13 15:31:35.213: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [53005]

*Apr 13 15:31:40.349: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:31:40.621: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [3339]

*Apr 13 15:31:41.213: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [53006]

*Apr 13 15:31:50.957: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [58527]

*Apr 13 15:31:51.581: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [59608]

*Apr 13 15:31:53.965: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [63773]

*Apr 13 15:31:54.173: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:31:54.497: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [64711]

*Apr 13 15:31:54.685: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:31:57.217: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [4206]

*Apr 13 15:31:57.245: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:31:57.821: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [5397]

*Apr 13 15:31:58.269: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:32:00.317: NAT: expiring MY.PUBLIC.IP.46 (MY.PUBLIC.IP.43) tcp 445 (445)

*Apr 13 15:32:01.045: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [10949]

*Apr 13 15:32:03.577: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [15228]

*Apr 13 15:32:04.237: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [16314]

*Apr 13 15:32:10.045: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:32:10.557: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:32:12.553: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [16841]

*Apr 13 15:32:15.553: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [16842]

*Apr 13 15:32:21.553: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [16843]

*Apr 13 15:32:24.893: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:32:25.405: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:32:40.765: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

*Apr 13 15:32:41.277: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)

and from:

blackDevil#show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp MY.PUBLIC.IP.43:500 10.0.102.7:500 --- ---

udp MY.PUBLIC.IP.43:1701 10.0.102.7:1701 --- ---

tcp MY.PUBLIC.IP.43:1723 10.0.102.7:1723 --- ---

tcp MY.PUBLIC.IP.43:3283 10.0.102.7:3283 --- ---

udp MY.PUBLIC.IP.43:3283 10.0.102.7:3283 --- ---

udp MY.PUBLIC.IP.43:4500 10.0.102.7:4500 --- ---

tcp MY.PUBLIC.IP.43:80 10.0.102.8:80 71.235.179.213:63300 71.235.179.213:63300

tcp MY.PUBLIC.IP.43:80 10.0.102.8:80 123.125.66.127:51337 123.125.66.127:51337

tcp MY.PUBLIC.IP.43:80 10.0.102.8:80 --- ---

where it seem that everything is working fine ? i also thought it could be a further problem, maybe with routing over vlan? but the following command shows that the 10.0.102.8 is reachable and the local network works fine:

blackDevil# show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is MY.PUBLIC.IP.41 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via MY.PUBLIC.IP.41

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C 10.0.101.0/24 is directly connected, GigabitEthernet0/1

L 10.0.101.1/32 is directly connected, GigabitEthernet0/1

C 10.0.102.0/24 is directly connected, GigabitEthernet0/1.2

L 10.0.102.10/32 is directly connected, GigabitEthernet0/1.2

C 10.0.104.0/24 is directly connected, GigabitEthernet0/1.1

L 10.0.104.1/32 is directly connected, GigabitEthernet0/1.1

MY.PUBLIC.IP.0/24 is variably subnetted, 4 subnets, 3 masks

S MY.PUBLIC.IP.0/24 [1/0] via MY.PUBLIC.IP.41

C MY.PUBLIC.IP.40/29 is directly connected, GigabitEthernet0/0

L MY.PUBLIC.IP.43/32 is directly connected, GigabitEthernet0/0

L MY.PUBLIC.IP.46/32 is directly connected, GigabitEthernet0/0

here is my configuration:

Building configuration...

Current configuration : 11932 bytes

!

! Last configuration change at 15:40:40 UTC Tue Apr 13 2010 by admin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname blackDevil

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 6 log

logging buffered 51200 warnings

logging console critical

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

ip domain list mydomain.org

ip domain name mydomain.org

ip host cisco 10.0.102.10

ip name-server 24.29.99.35

ip name-server 24.29.99.36

ip name-server 10.0.102.7

no ip port-map kazaa2 port tcp description Kazaa Version 2

ip port-map user-min-latse port tcp 2007

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1794697833

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1794697833

revocation-check none

rsakeypair TP-self-signed-1794697833

!

crypto pki certificate chain TP-self-signed-1794697833

certificate self-signed 01

3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31373934 36393738 3333301E 170D3130 30333130 31343136

35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37393436

39373833 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CDC1 FB9E542B 2447E740 1AF77128 CF11AE6C 5DB8610D 639BB7F6 13F019A0

53218DCE 059F98A7 B5487050 A01A54D6 EDE5F9B2 246BE43E 9808E990 0616D536

D9AEEB8A 9C5473C8 293E8B99 4EA1D3DB ED86E05E A83E84D3 F60C034C 3A79753C

F9BAB07F 3F05B924 52DE95A9 99FCB393 A2F615F0 9AEE16CA 6DCF7B92 E912344C

8CA50203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603

--More--

*Apr 13 15:40:40.645: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10. 551D1104 18301682 14626C61 636B4465 76696C2E 74726163 652E6F72 67301F06

03551D23 04183016 80147F0B 29A1AEDB 3BEA0E2D 567A3F89 78FAB4F2 26FB301D

0603551D 0E041604 147F0B29 A1AEDB3B EA0E2D56 7A3F8978 FAB4F226 FB300D06

092A8648 86F70D01 01040500 03818100 1E4463DF 53EF474E C59E4538 BF22C986

14B0603D 5CB2B996 6AAACB09 4C8CD72E F1236E4E 77D9DA37 DAB7D888 30841A97

83569319 C5A1D770 7F4F2D0B AC306E16 20D68FF6 9AA995F5 0CF46251 7065DFC1

D61752DA 8311EA33 9C9DD18B 73714CE4 BE63640D 2B8A59E3 40C6B878 A507516D

597D2949 6D2ADC44 55982E53 C0951A14

quit

license udi pid CISCO1941/K9 sn FTX1406782P

!

username admin privilege 15 secret 5 $dsgsdfgsdfgsdfgsdfgsfgd.

!

redundancy

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$$FW_OUTSIDE$

ip address MY.PUBLIC.IP.43 255.255.255.248 secondary

ip address MY.PUBLIC.IP.46 255.255.255.248

ip broadcast-address MY.PUBLIC.IP.47

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 10.0.101.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

description DMZ$FW_DMZ$

encapsulation dot1Q 4

ip address 10.0.104.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1.2

description MZ (mydomain ny private zone)$FW_INSIDE$

encapsulation dot1Q 2

ip address 10.0.102.10 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

!

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 2 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.0.102.8 80 MY.PUBLIC.IP.43 80 extendable

ip nat inside source static udp 10.0.102.7 500 MY.PUBLIC.IP.43 500 extendable

ip nat inside source static udp 10.0.102.7 1701 MY.PUBLIC.IP.43 1701 extendable

ip nat inside source static tcp 10.0.102.7 1723 MY.PUBLIC.IP.43 1723 extendable

ip nat inside source static tcp 10.0.102.201 2007 MY.PUBLIC.IP.43 2007 extendable

ip nat inside source static tcp 10.0.102.7 3283 MY.PUBLIC.IP.43 3283 extendable

ip nat inside source static udp 10.0.102.7 3283 MY.PUBLIC.IP.43 3283 extendable

ip nat inside source static udp 10.0.102.7 4500 MY.PUBLIC.IP.43 4500 extendable

ip default-network MY.PUBLIC.IP.41

ip route 0.0.0.0 0.0.0.0 MY.PUBLIC.IP.41 permanent

!

ip access-list extended dmz-traffic

remark CCP_ACL Category=1

permit ip any host MY.PUBLIC.IP.46

ip access-list extended min-internal-server

permit ip any host MY.PUBLIC.IP.43

!

access-list 1 permit 10.0.102.0 0.0.0.255

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.0.104.0 0.0.0.255

access-list 2 permit 10.0.102.0 0.0.0.255

access-list 2 permit any

access-list 3 permit MY.PUBLIC.IP.43

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 10.0.102.7

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 10.0.102.201

access-list 104 permit ip 0.0.0.0 255.255.255.0 any

access-list 105 permit ip any host 10.0.102.8

access-list 105 permit tcp any MY.PUBLIC.IP.40 0.0.0.7 eq www

access-list 105 permit tcp any 10.0.102.0 0.0.0.255 eq www

access-list 105 permit ip any any

access-list 106 remark for services to MacOSX server like vpn

access-list 106 permit ip any host 10.0.102.7

access-list 107 remark for services to latse calendar

access-list 107 permit ip any host 10.0.102.201

access-list 195 permit ip 0.0.0.56 255.255.255.0 any

access-list 2000 permit 80 any 0.0.0.3 255.255.255.248

!

control-plane

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

do you have any suggestions? thank you !!

Jennifer Halim · ‎04-13-2010

The problem is you have configured the same ip address as the router secondary ip address.

Remove that secondary ip address from gig0/0, that should work.

Koblensky · ‎04-14-2010

Thank you for your reply, actually as you can see in the configuration gig0/0 has 2 different addresses:

MY.PUBLIC.IP.43

MY.PUBLIC.IP.46

the configuration of the router is working, the problem was on the routing parameters of the server behind (http service), shame on me !!

thanks

NAT port forwarding not working (WAN, NAT, VLAN, WWW internal server)