NAT redirection

starstreamdataltd · ‎12-04-2011

Hey guys,

hoping to get a bit help on a problem that we have had crop up on a Cisco 867 ADSL Router, running version 15.0

One of the guys has a wireless tablet and it sends information to our static public IP address. This is not a problem when the device is outside of the LAN but when he connects internally it does not communicate.

The software transmits on a specific port so we have a mapping from outside in and that works fine but I don't know the best way to go about redirecting the traffic back into the internal server when operating on the LAN.

Any help would be appreciated

Many thanks

Marwan ALshawi · ‎12-04-2011

Try to do the following

Let's say the public ip is 1.1.1.1 and I am assuming you already applied the com and ip nat outside to the outside interface

Create a dummy loopback interface

Interface loopback 1

Ip address 10.10.10.10 255.255.255.255

Ip nat outside

Create a policy based routing to be applied on the LAN interface to send the traffic destined to your public ip to the loopback interface one it hit the LAN interface to get it translated back to the server ip

Access-list 100 permit ip any to host 1.1.1.1

Route-map map1

Match ip address 100

Set interface loopback 1

Interface x/x. --- LAN interface

Policy map map1

Hope this help

starstreamdataltd · ‎12-04-2011

Hi marwanshawi,

Thanks for the quick response.

I have tried to implement the above but the stumbling block I have is in the final section for setting the map of the LAN interface.

The Internal interface in Vlan1 and has the default gateway IP address set. When I go to add the "policy map map 1" command it is not recognised.

The policy command is not valid, any other advise that you could provide?

Many thanks

Marwan ALshawi · ‎12-04-2011

Try

Interface vlan 1

ip policy route-map map1

starstreamdataltd · ‎12-05-2011

I have followed the instructions as above but unfortunately it still isnt working, so I'm obviously missing a trick somewhere.

interface Loopback1

ip address 10.10.10.10 255.255.255.255

ip nat outside

ip virtual-reassembly

interface Vlan1

ip address 192.168.50.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map map1

access-list 100 permit ip any host 1.1.1.1 (my public ip)

route-map map permit 1

match ip address 100

set interface Loopback1

Just looking over the original feedback I have assigned the ip nat outside command to my Dialer0 but I dont know what the com part is, could this be the problem?

Many thanks again

Marwan ALshawi · ‎12-05-2011

Can you post your nat config

starstreamdataltd · ‎12-05-2011

ip nat inside source static tcp 192.168.50.1 25 interface Dialer0 25

ip nat inside source static tcp 192.168.50.1 443 interface Dialer0 443

ip nat inside source list 10 interface Dialer0 overload

ip nat inside source static tcp 192.168.50.1 2001 interface Dialer0 2001

ip nat inside source static udp 192.168.50.1 2001 interface Dialer0 2001

ip route 0.0.0.0 0.0.0.0 Dialer0

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname ***

ppp chap password 0 ***

ppp ipcp dns request

no cdp enable

interface Loopback1

ip address 10.10.10.10 255.255.255.255

ip nat outside

interface Vlan1

ip address 192.168.50.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map map1

Hope that is all that you need. Thanks again

Marwan ALshawi · ‎12-06-2011

Can you try this config after you backup your current cofnig

Access-list 110 deny ip any host 1.1.1.1. Where 1.1.1.1 is the public ip of your server

Access-list 110 permit ip any any

No ip nat inside source list 10 interface dialer0

Ip nat inside source list 110 interface dialer0 overload

Then do clear ip nat translation *

Hope this help

starstreamdataltd · ‎12-07-2011

I have done the above but still no joy.

Any other useful things or anywhere I may have missed something out?

Many thanks

starstreamdataltd · ‎12-07-2011

Hi marwanshawi,

just a thought but is there not a command that I could use that would direct traffic with the public IP address and port across to the internal host?

For example if the communication comes from 192.168.50.0/24 and destined for 1.1.1.1:25 then transfer to 192.168.50.100:25

Thanks

Marwan ALshawi · ‎12-07-2011

Well it's an option

You can try it by removing the set interface loopback

And make it set next hope 192.168.50.100

Once it works then update ACL 100 to make it more specific to match source destination ip and tcp/udp port

starstreamdataltd · ‎12-08-2011

Hi, made the change but as things stand it still isnt working. Here is the current config. Thanks again

interface Vlan1

ip address 192.168.50.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map map1

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname ***

ppp chap password 0 ***

ppp ipcp dns request

no cdp enable

ip forward-protocol nd

ip nat inside source static tcp 192.168.50.1 25 interface Dialer0 25

ip nat inside source static tcp 192.168.50.1 443 interface Dialer0 443

ip nat inside source list 110 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

access-list 100 permit ip any host 1.1.1.1

access-list 110 deny ip any host 1.1.1.1

access-list 110 permit ip any any

route-map map permit 1

match ip address 100

set ip next-hop 192.168.50.100