Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Priority Question

Hi, I have a 887W and would appreciate help sorting out a NAT question.

interface Dialer0

description $FW_OUTSIDE$

ip address 165.228.87.236 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static udp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable

ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable

ip route 0.0.0.0 0.0.0.0 165.228.87.1

access-list 100 remark CCP_ACL Category=2
access-list 100 deny   tcp host 192.168.1.49 eq domain any
access-list 100 deny   udp host 192.168.1.49 eq domain any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

My question relates to only one server so it is included. I have about 10 servers in the LAN.

I have a secondary DNS in the WAN. When my DNS server sends out notify messages to the secondary DNS the secondary DNS receives the messages from Dialer0 (165.228.87.236) and rejects the notify messages because it expects the messages to come from 203.36.222.123

How do I change the NAT settings so that 192.1681.49 outgoing traffic will appear on the outside as 203.36.222.123

regards, Mark

Everyone's tags (2)
26 REPLIES
Silver

NAT Priority Question

Mark Gregory wrote:

Hi, I have a 887W and would appreciate help sorting out a NAT question.

interface Dialer0

description $FW_OUTSIDE$

ip address 165.228.87.236 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static udp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable

ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable

ip route 0.0.0.0 0.0.0.0 165.228.87.1

access-list 100 remark CCP_ACL Category=2

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

My question relates to only one server so it is included. I have about 10 servers in the LAN.

I have a secondary DNS in the WAN. When my DNS server sends out notify messages to the secondary DNS the secondary DNS receives the messages from Dialer0 (165.228.87.236) and rejects the notify messages because it expects the messages to come from 203.6.222.123

How do I change the NAT settings so that 192.1681.49 outgoing traffic will appear on the outside as 203.36.222.123

regards, Mark

Where is this 203.36.222.123 address?

You can't tell your router to NAT outbound traffic to an IP address which isn't configured on its external interface. And, since your external interface is 165.228.87.236, you're out of luck.

It'd be far easier for you to configure your secondary DNS to accept messages from the 165 address than to try and play silly buggers with your NAT configuration.

Cheers.

New Member

NAT Priority Question

Hi Darren, thank you for the reply. The IP 203.36.222.123 is part of a 3 bit subnet that terminates at Dialer0.So Dialer0 has a single IP provided by the ISP and also a 3-bit subnet that I use for my servers. There is no other interface or way from the WAN to the LAN.

I have no control over the secondary DNS and therefore need to resolve this issue locally.

regards, Mark

Silver

NAT Priority Question

Mark Gregory wrote:

Hi Darren, thank you for the reply. The IP 203.36.222.123 is part of a 3 bit subnet that terminates at Dialer0.So Dialer0 has a single IP provided by the ISP and also a 3-bit subnet that I use for my servers. There is no other interface or way from the WAN to the LAN.

I have no control over the secondary DNS and therefore need to resolve this issue locally.

regards, Mark

Ahhh, OK - so you do have those IP addresses somewhere. I assume they're routed to the IP of dialer0 by the ISP?

To NAT to this address, you need to have the router aware of the subnet - you have to configure it somewhere so the router knows it can route/NAT to/from this address.

Off the top of my head, I can't suggest a method to do this - I do it on my ASA firewalls, but I've never done this on a small router - not sure if the DMZ functionality is supported on the 887W, but have a look at this document

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.html#wp1050856

and see if you can configure a DMZ and connect your DNS to that.

Because they're "live' addresses, you really shoudln't have to NAT them - can you maybe configure your internal DNS server with a second NIC and connect that into the DMZ configured above? Or even just move your DNZ server into the DMZ process above and have your internal devices point to the "live" IP address (since once you configure the DMZ the router should know how to route to it, and lookups/management should work OK)?

Sorry I can't offer more. I can't think of a way to do what you want with NAT.

New Member

NAT Priority Question

Hi Darren, thank you for the answer. I will hope that someone with more NAT experience can help. I don't want to setup a DMZ, I just need the static commands to override the overload command as it is not doing so now.

regards,

Mark

New Member

NAT Priority Question

Hi, anyone have any ideas how to get this to work correctly please.

regards, Mark

NAT Priority Question

Mark,

Can you run "debug ip nat" and do a dns query from that box so we can see if the router is even translating it? At first sight, I think your acl is overriding your static. If you remove the deny entry from your acl 100 for dns it should work. But if you don't want to do that, you can do a debug first on nat. What I think you'll find is that you're not seeing anything from that address on that port because it's not being natted in the first place. As a test, can you remove those lines from the acl?

John

HTH, John *** Please rate all useful posts ***
New Member

NAT Priority Question

Hi John,

I had removed the deny lines a week ago, as they appear to be doing nothing and the problem persists.

I logged into the router using ssh, ran "enable" and then"debug ip nat". I went to the dns server and did a dns lookup on an external dns server. how do I see the results of the debug ip nat?

regards, Mark

NAT Priority Question

You'll need to type:

term mon

Then do your debug. After you're done, you'll type "term no mon" to get back to the prompt. Be careful if you have a lot of traffic though. You can create an acl and apply it for just that one host like this:

access-list 10 permit host 192.168.1.49

debug ip nat 10

HTH, John *** Please rate all useful posts ***
New Member

NAT Priority Question

Are u using an address from 203.36.222.123 range on your DNS server ?

if you are using an address from above range on your DNS then just route the traffic to dialer 0 and there is no need for natting as it is a public address and route able via internet.

HTH

New Member

NAT Priority Question

Hi, As the problem states at the top..... I have a 3 bit range for my servers. I use this range for the DNS server. The IP 203.36.222.123 is public yes, but I cannot use this for the servers. This IP changes periodically.

Surely a $1300 cisco 887W (which is one of the worst devices I have every purchased - where is the gigabit 4 port switch?)

can do what I need?

This is quite frustrating as it should be working.

I would appreciate assistance.

regards, Mark

New Member

NAT Priority Question

I'm using putty and the buffer does not appear very long. I have a lot of DNS traffic going to the DNS server. I have tried to capture the dns lookup from the dns server to an external DNS server.

Apr  6 10:47:25.967: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:25.967: NAT: Dns type of Response

Apr  6 10:47:25.967:    : dns len=256, id=25, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:25.967:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.967:    : ancount=6, nscount=4, arcount=4

Apr  6 10:47:25.967:      query name is

www.google.com

, qtype=1,

Apr  6 10:47:25.967: Answer section:

Apr  6 10:47:25.967:    Name='www.google.com'

Apr  6 10:47:25.967:    RR type=5,, ttl=319239, data length=8

Apr  6 10:47:25.967:      CNAME='www.l.google.com'

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.49

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.50

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.51

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.52

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.48

Apr  6 10:47:25.967: Authority section:

Apr  6 10:47:25.967:    Name='google.com'

Apr  6 10:47:25.967:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.967:      NS='ns3.google.com'

Apr  6 10:47:25.967:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns2.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns4.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns1.google.com'

Apr  6 10:47:25.971: Additional record section:

Apr  6 10:47:25.971:    Name='ns1.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.32.10

Apr  6 10:47:25.971:    Name='ns2.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.34.10

Apr  6 10:47:25.971:    Name='ns3.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.36.10

Apr  6 10:47:25.971:    Name='ns4.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.38.10

Apr  6 10:47:25.971: NAT (UDP-DNS): After Translation

Apr  6 10:47:25.971: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:25.971: NAT: Dns type of Response

Apr  6 10:47:25.971:    : dns len=256, id=25, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:25.971:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.971:    : ancount=6, nscount=4, arcount=4

Apr  6 10:47:25.971:      query name is

www.google.com

, qtype=1,

Apr  6 10:47:25.971: Answer section:

Apr  6 10:47:25.971:    Name='www.google.com'

Apr  6 10:47:25.971:    RR type=5,, ttl=0, data length=8

Apr  6 10:47:25.971:      CNAME='www.l.google.com'

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.49

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.50

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.51

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.52

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.48

Apr  6 10:47:25.971: Authority section:

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns3.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns2.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns4.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns1.google.com'

Apr  6 10:47:25.971: Additional record section:

Apr  6 10:47:25.971:    Name='ns1.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.32.10

Apr  6 10:47:25.971:    Name='ns2.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.34.10

Apr  6 10:47:25.971:    Name='ns3.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.36.10

Apr  6 10:47:25.971:    Name='ns4.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.38.10

Apr  6 10:47:25.971: NAT: s=139.130.4.4, d=165.228.87.236->192.168.1.49 [22175]

Apr  6 10:47:25.975:  mapping pointer available mapping:0

Apr  6 10:47:25.975: NAT: [0] Allocated Port for 192.168.1.49 -> 165.228.87.236: wanted 58582 got 58582

Apr  6 10:47:25.995: NAT: i: udp (192.168.1.49, 58582) -> (139.130.4.4, 53) [31742]

Apr  6 10:47:25.995: NAT (UDP-DNS): Before Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT (UDP-DNS): After Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT: s=192.168.1.49->165.228.87.236, d=139.130.4.4 [31742]

Apr  6 10:47:26.011: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9110]

Apr  6 10:47:26.011: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9110]

Apr  6 10:47:26.011: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9111]

Apr  6 10:47:26.015: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9111]

Apr  6 10:47:26.015: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32192]

Apr  6 10:47:26.015: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32192]

Apr  6 10:47:26.023: NAT: o: udp (139.130.4.4, 53) -> (165.228.87.236, 58582) [24151]

Apr  6 10:47:26.023: NAT (UDP-DNS): Before Translation

Apr  6 10:47:26.023: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:26.023: NAT: Dns type of Response

Apr  6 10:47:26.023:    : dns len=90, id=26, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:26.023:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:26.023:    : ancount=1, nscount=1, arcount=0

Apr  6 10:47:26.023:      query name is

www.google.com

, qtype=28,

Apr  6 10:47:26.023: Answer section:

Apr  6 10:47:26.023:    Name='www.google.com'

Apr  6 10:47:26.023:    RR type=5,, ttl=319239, data length=8

Apr  6 10:47:26.023:      CNAME='www.l.google.com'

Apr  6 10:47:26.023: Authority section:

Apr  6 10:47:26.023:    Name='l.google.com'

Apr  6 10:47:26.023:    RR type=6,, ttl=574, data length=38

Apr  6 10:47:26.023:      MNAME='ns3.google.com'

Apr  6 10:47:26.023:      RNAME='dns-admin.google.com'

Apr  6 10:47:26.023:      SERIAL=1481899l, REFRESH=900l, RETRY=900, EXPIRE=1800l, MINIMUM=60l

Apr  6 10:47:26.023: Additional record section:

Apr  6 10:47:26.023: NAT (UDP-DNS): After Translation

Apr  6 10:47:26.023: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:26.023: NAT: Dns type of Response

Apr  6 10:47:26.023:    : dns len=90, id=26, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:26.023:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:26.023:    : ancount=1, nscount=1, arcount=0

Apr  6 10:47:26.023:      query name is

www.google.com

, qtype=28,

Apr  6 10:47:26.023: Answer section:

Apr  6 10:47:26.023:    Name='www.google.com'

Apr  6 10:47:26.023:    RR type=5,, ttl=0, data length=8

Apr  6 10:47:26.023:      CNAME='www.l.google.com'

Apr  6 10:47:26.023: Authority section:

Apr  6 10:47:26.023:    Name='l.google.com'

Apr  6 10:47:26.023:    RR type=6,, ttl=574, data length=38

Apr  6 10:47:26.023:      MNAME='ns3.google.com'

Apr  6 10:47:26.023:      RNAME='dns-admin.google.com'

Apr  6 10:47:26.023:      SERIAL=1481899l, REFRESH=900l, RETRY=900, EXPIRE=1800l, MINIMUM=60l

Apr  6 10:47:26.023: Additional record section:

Apr  6 10:47:26.023: NAT: s=139.130.4.4, d=165.228.87.236->192.168.1.49 [24151]

Apr  6 10:47:26.891: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9715]

Apr  6 10:47:26.891: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9715]

Apr  6 10:47:26.891: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9716]

Apr  6 10:47:26.891: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9716]

Apr  6 10:47:26.891: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [10945]

Apr  6 10:47:26.891: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [10945]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60867) -> (203.36.222.122, 443) [32204]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=203.36.222.122 [32204]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32205]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32205]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32206]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32206]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32207]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32207]

Apr  6 10:47:27.683: NAT*: o: tcp (165.228.87.236, 60867) -> (203.36.222.122, 443) [32204]

Apr  6 10:47:27.683: NAT*: s=165.228.87.236, d=203.36.222.122->192.168.1.50 [32204]

Apr  6 10:47:27.683: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [11943]

Apr  6 10:47:27.683: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [11943]

Apr  6 10:47:27.683: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32208]

Apr  6 10:47:27.683: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32208]

Apr  6 10:47:27.683: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32209]

Apr  6 10:47:27.683: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32209]

Apr  6 10:47:28.375: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [13913]

Apr  6 10:47:28.375: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [13913]

Apr  6 10:47:28.375: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [14615]

Apr  6 10:47:28.375: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [14615]

Apr  6 10:47:28.375: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32223]

Apr  6 10:47:28.375: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32223]

Apr  6 10:47:28.375: NAT: expiring 165.228.87.236 (192.168.1.88) udp 57435 (57435)

Apr  6 10:47:29.307: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [15934]

Apr  6 10:47:29.307: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [15934]

Apr  6 10:47:29.307: NAT*: i: udp (192.168.1.88, 57435) -> (58.96.69.61, 24618) [32225]

Apr  6 10:47:29.307: NAT*: s=192.168.1.88->165.228.87.236, d=58.96.69.61 [32225]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32226]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32226]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32227]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32227]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32228]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32228]

Apr  6 10:47:29.311:  mapping pointer available mapping:0

Apr  6 10:47:29.311: NAT: [0] Allocated Port for 192.168.1.88 -> 165.228.87.236: wanted 60869 got 60869

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60869) -> (65.54.240.230, 443) [32229]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60869) -> (65.54.240.230, 443) [32229]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.54.240.230 [32229]

Apr  6 10:47:29.863: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [18124]

Apr  6 10:47:29.863: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [18124]

Apr  6 10:47:29.863: NAT*: o: tcp (65.54.240.230, 443) -> (165.228.87.236, 60869) [30297]

NAT Priority Question

Mark,

Did you take your deny lines out? Here's what I'm seeing:

Apr  6 10:47:25.995: NAT: i: udp (192.168.1.49, 58582) -> (139.130.4.4, 53) [31742]

Apr  6 10:47:25.995: NAT (UDP-DNS): Before Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT (UDP-DNS): After Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT: s=192.168.1.49->165.228.87.236, d=139.130.4.4 [31742]

You're being natted out as 165.228.87.236. Can you do me a favor? From the 192.168.1.49 server, can you go to www.whatismyip.com and see if it's the 203 address that you have above? Or does that address also show you as 165.228.87.236?

HTH, John *** Please rate all useful posts ***
New Member

NAT Priority Question

Hi,

from the 49 server the IP is seen as 165.228.87.236 by whatsmyip.com

yes I took the deny lines out.

regards, Mark

Re: NAT Priority Question

Mark,

The reason for that test is because you also have a static for port 80. It doesn't look like you're going out as 203.x.x.x. How is the provider giving you the 203 address?

*Edit* I noticed that you have the address statically set on the dialer interface. Do you have a block in the 203 range? If so, you should try to put the 203 address on that interface and your problem should be resolved.

John

HTH, John *** Please rate all useful posts ***
New Member

NAT Priority Question

Hi, it is part of a 3-bit subnet that terminates at 165.228.87.236

more info from my config

interface Dialer0

description $FW_OUTSIDE$

ip address 165.228.87.236 255.255.255.0

ip nat outside

ip virtual-reassembly interface Dialer0
description $FW_OUTSIDE$
ip address 165.228.87.236 255.255.255.0
ip nat outside
ip virtual-reassembly

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static udp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable

ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable

ip route 0.0.0.0 0.0.0.0 165.228.87.1

access-list 100 remark CCP_ACL Category=2

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip 165.228.87.0 0.0.0.255 any

access-list 104 permit ip any host 192.168.1.49

New Member

Re: NAT Priority Question

The dialer0 interface IP is allocated by service provider ADSL2+. I do not think it can be changed.

I have a 3-bit subnet for the 203.36.222.120 to 127

Can I add this to the dialer interface? I would like to know how to do this.

How would this solve the problem?

regards, Mark

Re: NAT Priority Question

Mark,

The router will nat out an address that's on the external interface. You can nat out a different address on an ASA, but I don't think it's possible to do it with a router. I'd have to lab that up as I've never done it before. If you *cannot* do it, the only option that you have is to put your 203 address on your interface. It will fix the problem because now the router can nat out of the interface address that's physically on the dialer.

John

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT Priority Question

Hi John,

the dialer0 is ADSL2+ so I do not think I can change the interface IP. I thought there would be some sort of priority happening for traffic going out but it appears that this is not the case. I read that using deny on the designated NAT would force the outgoing traffic to use the static NAT. This also appears to have not worked.

I'm at a loss for ideas to try. I would have thought that the 887W was up to this. It certainly cost a lot for a device that did not even come with a Gbps internal switch.

I appreciate your help today and if you have any new ideas, I would appreciate hearing them.

regards, Mark

Re: NAT Priority Question

Mark,

I'll try to lab this up today, but unfortunately I'm not seeing a way around it at the moment. If the provider gave you a block of IPs, they surely should expect you to be using them. Let me play around with it and I'll get back to you.

John

Please rate all useful posts...

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT Priority Question

Hi John,

The 3-bit IP range works great for incoming traffic. I have 5 servers each with incoming ports from separate IP. The only issue is the outgoing notify messages from the primary DNS to the secondary DNS server which is outside the LAN on the internet. It must receive the notify messages from the primary DNS external IP.

Just one small catch.....

I cannot change the Dialer0 IP as it is allocated as part of the ADSL2+ setup - this is allocated by the service provider.

The trick will be to see if the outgoing port 53 can be forced to go out using an IP other than Dialer0.

regards, Mark

Re: NAT Priority Question

Mark,

I labbed it up and here's the problem with your config (I think). If I specify the source port and destination port, it doesn't work because outbound I'm using a high port which explains:

NAT: i: udp (192.168.1.49, 58582) -> (139.130.4.4, 53)

Can you do another test? Since all of these addresses go to the same public address, can you remove all of your nat statements and do a 1-1 nat?

ip inside source static 192.168.1.49 203.36.222.123 exten

Since the source port isn't 53, it's not hitting your nat statement and going out your regular pool.

See if that resolves the issue...

John

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT Priority Question

Hi John,

I understand that you're suggesting that I remove all the NAT statements including the designated NAT statement for vlan1 and then do a static nat for 49 to 123

I would need an ACL to only permit port 53 tcp and udp access wouldn't I?

The problem is there are more than the 5 servers on the subnet and they need NAT through Dialer0.

I think I see what your suggesting. At the moment the ACL is permitting all traffic to access 49 but this is limited by the port translation.

Now your suggesting translate all of 49 to 123 and use ACL to limit what ports would be open.

I'm afraid that I would need advice on how to do this. My servers are live and I could take them offline for a while, but not too long.

It is also very late here and I will need to continue tomorrow.

regards, Mark

Re: NAT Priority Question

Mark,

I labbed it up and attached a diagram. You have the correct idea. Do a one-to-one nat on the one address. Everyone else will go out as the other address in the pool that you have:

R3 is natted out as 5.5.5.3 and R4 is natted out as 5.5.5.4. If you notice R1 and R2 are on the 172.12.0.0/24 network. I put a route to 5.5.5.0/24 on R1 pointing back to R2. This works as intended:

Running "debug ip packet" on R1 shows:

Pinging from R3:

*Mar  1 00:12:07.383: IP: tableid=0, s=5.5.5.3 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), routed via RIB

*Mar  1 00:12:07.387: IP: s=5.5.5.3 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:12:07.387: IP: tableid=0, s=172.12.0.1 (local), d=5.5.5.3 (FastEthernet0/0), routed via FIB

*Mar  1 00:12:07.391: IP: s=172.12.0.1 (local), d=5.5.5.3 (FastEthernet0/0), len 100, sending

Pinging From R4:

*Mar  1 00:13:03.179: IP: tableid=0, s=5.5.5.4 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), routed via RIB

*Mar  1 00:13:03.183: IP: s=5.5.5.4 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:13:03.183: IP: tableid=0, s=172.12.0.1 (local), d=5.5.5.4 (FastEthernet0/0), routed via FIB

*Mar  1 00:13:03.183: IP: s=172.12.0.1 (local), d=5.5.5.4 (FastEthernet0/0), len 100, sending

Here's a "debug ip nat" from R2:

*Mar  1 00:12:07.559: NAT*: s=192.168.234.3->5.5.5.3, d=172.12.0.1 [8]

*Mar  1 00:12:07.611: NAT*: s=172.12.0.1, d=5.5.5.3->192.168.234.3 [8]

*Mar  1 00:13:03.375: NAT*: s=192.168.234.4->5.5.5.4, d=172.12.0.1 [2]

*Mar  1 00:13:03.403: NAT*: s=172.12.0.1, d=5.5.5.4->192.168.234.4 [2]

And finally, here's the config on R2:

ip nat pool NATOnly3 5.5.5.3 5.5.5.3 prefix-length 24

ip nat inside source list NATOnly3 pool NATOnly3

ip nat inside source static 192.168.234.4 5.5.5.4

Extended IP access list NATOnly3

    10 permit ip 192.168.234.0 0.0.0.255 any (1 match)

I'm not denying the address 192.168.234.4 from the ACL, but as you can see above it works fine. From your perspective, if you'll remove all of the port translated static nats and just do the one-to-one, all of your stuff should work fine.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT Priority Question

Hi John,

thank you for the ideas.

I'm going to work this through and see what happens.

One issue I see potentially is that I would need to exclude 49 from the subnet range to be able to do what you suggest. Your pool is only one IP? What happens when it is the class C that includes the IP of the static?

Are you able to use the same IP ranges that I have so it would be easier to see what is happening?

Hope your easter is going well.

regards, Mark

Re: NAT Priority Question

Mark,

I reset this up for you using the addresses that you have so you can see what it looks like. The topology is the same but the router names have changed because I set this up on a different system, so I'll attach a screenshot:

Here's the config on R7:

interface FastEthernet0/0

ip address 165.228.87.236 255.255.255.0

ip nat outside

interface FastEthernet0/1

ip address 192.168.1.7 255.255.255.0

ip nat inside

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static 192.168.1.49 203.36.222.123 extendable

Extended IP access list 101

    10 permit ip 192.168.1.0 0.0.0.255 any (2 matches)

Routers R8 and R9 have a default gateway that point to R7. There are no default routes on R6. R6 has a static route to the 203 address:

ip route 203.36.222.120 255.255.255.248 165.228.87.236

Running a debug on R7:

Ping from R8:

*Mar  1 00:30:15.139: NAT*: s=192.168.1.50->165.228.87.236, d=165.228.87.1 [46]

*Mar  1 00:30:15.163: NAT*: s=165.228.87.1, d=165.228.87.236->192.168.1.50 [46]

Ping from R9:

*Mar  1 00:30:56.407: NAT*: s=192.168.1.49->203.36.222.123, d=165.228.87.1 [18]

*Mar  1 00:30:56.415: NAT*: s=165.228.87.1, d=203.36.222.123->192.168.1.49 [18]

Running debugs on R6:

Ping from R8:

*Mar  1 00:30:15.571: IP: s=165.228.87.236 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:30:15.571: IP: tableid=0, s=165.228.87.1 (local), d=165.228.87.236 (FastEthernet0/0), routed via FIB

*Mar  1 00:30:15.575: IP: s=165.228.87.1 (local), d=165.228.87.236 (FastEthernet0/0), len 100, sending

*Mar  1 00:30:15.603: IP: tableid=0, s=165.228.87.236 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), routed via RIB

Ping from R9:

*Mar  1 00:30:56.835: IP: tableid=0, s=203.36.222.123 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), routed via RIB

*Mar  1 00:30:56.835: IP: s=203.36.222.123 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:30:56.835: IP: tableid=0, s=165.228.87.1 (local), d=203.36.222.123 (FastEthernet0/0), routed via FIB

*Mar  1 00:30:56.835: IP: s=165.228.87.1 (local), d=203.36.222.123 (FastEthernet0/0), len 100, sending

*Mar  1 00:30:56.847: IP: tableid=0, s=203.36.222.123 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), routed via RIB

You can see from the acl above that I'm not excluding the .49 address from the pool, but the static nat overrides dynamic nat.

Have a good Easter

John

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT Priority Question

Hi John,

I will give this a go tomorrow, it is late here again.

How does the actual route to the next WAN device fit into this?

ip route 0.0.0.0 0.0.0.0 165.228.87.1

You may have mentioned it. I will spend some time tomorrow and have a look.

regards

mark

1557
Views
38
Helpful
26
Replies
CreatePlease to create content