1. Home
  2. Cisco Systems
  3. 1801 - PAT + NAT = NAT not working how I thought it should

1801 - PAT + NAT = NAT not working how I thought it should

OK the gist is:

3 vlans:

- VLAN1 Management

- VLAN2 Public IP space (82.71.110.224/28)

- VLAN3 Private IP space (172.16.0.0/24)

The route obtains it's external IP via DHCP from the ISP - the address it gets is 82.71.110.238 - this is also the same address as the gateway for VLAN2 (I was informed this is the correct way to configure that part, and that bit is working). VLAN3 is set as the inside NAT interface and the outside NAT interface is set as Dialer0.

The clients in VLAN3 cannot "talk" to VLAN2 and vice versa but the IP helper is working and DHCP is being dished out fine from VLAN2 -> VLAN3.

It's probably something to do with the firewall rules I have in place. I've included my config below, can anyone see where I'm going wrong? and if there is anything that am seriously missing can you point me in the right direction.

Also what is the significance of the line:

permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023

Without this DNS would not work - even though I have an permit statement for the 2 DNS servers further down in the config.

Thanks in advance

Ste

Reply to
Steven Carr
Loading thread data ...

I dont mean PAT at all - I mean Routed - my brain is shot today....

Reply to
Steven Carr

OK as it turns out it is actually all working (was actually a number of ACL's within BIND preventing recursive lookups from the new private VLAN addresses and misconfiguration in the DHCP scope giving out the wrong gateway address (doh!))

But anyway with regards to my inbound and outbound firewall ACLs, is there anything that is wrong or that I am missing + also the question about that "permit udp" line

Thanks

Ste

Reply to
Steven Carr

For packets from inside, the router should perfom routing first then NAT so not sure why packet do not make it to VLAN 2

to a debug ip icmp and ping from a host on VLAN 3 to host on VLAN 2 and see what output is display

also do a traceroute

display translations using sh ip nat translations to see if the traffic between VLANS is being translated

Reply to
Merv

Sorted that, it was a cockup else where with DHCP+DNS config. Can you see any problems with the actual firewall rules I have in place (just from a general security point of view), is there any others you can think of to add, or any that shouldn't be there.

Thanks

Ste

Reply to
Steven Carr

acl's for security look ok

use enable secret instead of enable password ditto for username priv password - use username priv secret

no logging console ! disable console logging

Reply to
Merv

Hi Merv,

Really appreciate all of the help you provide on this newsgroup, can you explain what this rule is for and why the 2 rules below it don't seem to work, if I take the "permit udp any range..." rule out DNS stops working completely, but shouldn't the 2 rules for DNS allow it to continue to work. Just from my looking at it that rule says that any host can send udp packets to ports 1-1023 from any port higher than 1023, which to me seems like a whole for lots of traffic to potentially get through.

Thanks

Ste

Reply to
Steven Carr

see Cisco doc "Transit Access Control Lists: Filtering at Your Edge"

!--- Permit legitimate business traffic.

access-list 110 permit tcp any 192.168.201.0 0.0.0.255 established access-list 110 permit udp any range 1 1023 192.168.201.0 0.0.0.255 gt

1023

!--- Explicitly permit externally sourced traffic. !--- These are incoming DNS queries.

access-list 110 permit udp any gt 1023 host eq 53

!-- These are zone transfer DNS queries to primary DNS server.

access-list 110 permit tcp host secondary DNS server gt 1023 host primary DNS server eq 53

!--- Permit older DNS zone transfers.

access-list 110 permit tcp host secondary DNS server eq 53 host primary DNS server eq 53

!--- Deny all other DNS traffic.

access-list 110 deny udp any any eq 53 access-list 110 deny tcp any any eq 53

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.