Trying to configure NAT/PAT after reading several articles - WHAT am I missing?

Hi,

You need to change two parts of this line: ip nat inside source list 1 interface FastEthernet0/1 overload to be as follows: ip nat inside source list NAT interface FastEthernet0/0 overload

and add the following to int E0/0: interface FastEthernet0/0 ip nat outside

Regards,

Martin

Martin,

I made the changes that you suggested, but I still can't form a socket connetion to port 80. I am attempting the connection as the PETER_HOME entry in access-list 151. Also I can telnet to port 80 from an internal box.

Attached is my routers current configuration.

CT_Router1#s config Using 2052 out of 29688 bytes, uncompressed size = 3851 bytes ! version 12.0 service timestamps debug uptime service timestamps log uptime service password-encryption service compress-config ! hostname CT_Router1 ! logging buffered 8192 debugging aaa new-model aaa authentication login default local aaa authentication login AUTHEN_CON local aaa authentication login AUTHEN_VTY local enable secret 5 $1$bTzM$WNJgYiKLjclWl4NHuPbKc1 ! username ??? privilege 7 password 7 012726331A3C453B3B151D5940 username ??? password 7 14463C0F5D55 clock timezone EDT -5 clock summer-time EDT recurring ip subnet-zero no ip source-route no ip finger no ip domain-lookup ip domain-name indii.net ip name-server 151.202.0.84 ip name-server 151.198.0.38 ! no ip bootp server ! ! ! ! interface FastEthernet0/0 description INTERNET FACING INTERFACE ip address 71.125.C.D 255.255.255.0 ip access-group 151 in no ip directed-broadcast ip nat outside full-duplex no cdp enable ! interface FastEthernet0/1 description INTERNAL INTERFACE VLAN 10 ip address 192.168.1.5 255.255.255.0 no ip redirects no ip directed-broadcast ip nat inside no cdp enable ! interface Ethernet1/0 description INDSIDE INTERFACE ip address 192.168.30.1 255.255.255.0 no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp ntp disable no cdp enable ! ip nat inside source list nat interface FastEthernet0/0 overload ip nat inside source static tcp 192.168.1.200 80 71.125.24.D 80 extendable ip classless ip route 0.0.0.0 0.0.0.0 71.125.24.D no ip http server ip http authentication local ! ! ip access-list standard NAT permit 192.168.1.0 0.0.0.255 access-list 131 permit ip any any access-list 131 remark * ICMP rules access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo-reply access-list 131 permit icmp any 0.0.0.66 255.255.255.0 administratively-prohibited access-list 131 permit icmp any 0.0.0.66 255.255.255.0 packet-too-big access-list 131 permit icmp any 63.251.25.64 0.0.0.31 traceroute access-list 131 permit icmp any 0.0.0.66 255.255.255.0 unreachable access-list 131 permit icmp any 0.0.0.66 255.255.255.0 time-exceeded access-list 131 deny ip any any log-input access-list 151 remark * Peter Home access-list 151 permit ip host 66.114.C.D any access-list 151 remark * GLOBAL INBOUND RULES access-list 151 remark * ANTI-SPOOFING RULES access-list 151 deny ip host 0.0.0.0 any log-input access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 151 deny ip host 255.255.255.255 any log-input access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input access-list 151 remark * ICMP rules access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo-reply access-list 151 permit icmp any 71.125.24.66 0.0.0.28 administratively-prohibited access-list 151 permit icmp any 71.125.24.66 0.0.0.28 packet-too-big access-list 151 permit icmp any 71.125.24.66 0.0.0.28 traceroute access-list 151 permit icmp any 71.125.24.66 0.0.0.28 unreachable access-list 151 permit icmp any 71.125.24.66 0.0.0.28 time-exceeded access-list 151 remark * Desktop Applet Settings access-list 151 permit tcp any host 71.125.24.85 eq www access-list 151 permit tcp any host 71.125.24.85 eq 4202 access-list 151 permit tcp any host 71.125.24.85 eq 6501 access-list 151 deny ip any any log-input no cdp run ! line con 0 exec-timeout 60 0 login authentication AUTHEN_CON transport input none stopbits 1 line aux 0 line vty 0 4 exec-timeout 30 0 login authentication AUTHEN_VTY transport input telnet ! no scheduler allocate end

At first glance it looks okay, however in your static statement you have the word NAT in lower case rather than upper case; it should be upper case to match the name of the access-list. Try this and let me know:

ip nat inside source list NAT interface FastEthernet0/0 overload

Regards,

Martin

I capitilized the word NAT on the 'ip nat inside' command, but still no luck. I will try removing access-list 151, but I don't feel that this is going to help.

I will get back to you later.

I also removed all access-list from all interfaces and still couldn't connect.

Does anyone have any ideas?

To do NAT is as simple as setting 'ip nat outside', 'ip nat inside', access-list... and the static statement.

I have never tried using an Standard access-list for the NAT rules, I always use advanced - maybe that is the last remaining problem, try changing it to this instead:

ip access-list extended NAT permit ip 192.168.1.0 0.0.0.255 any

If that fails to work then go to the conventional access-list format: 'access-list 100 permit.....'

Regards,

Martin

I tried both forms of the access-list (extended and access-list 100 permit' with no luck. I believe that the format of my configuraiton is correct (ip nat inside, ip nat outside, ip nat inside source list 185 interface FastEthernet0/0 overload, ip nat inside source static tcp

192.168.1.200 80 71.125.24.D 80 extendable and ip access-list 185 permit ip 192.168.1.0 0.0.0.255 any) yet it isn't working.

I don't know where to go from here.

Can you give me the name of your IOS image from the show version output please. I will check it for functionality and known bugs.

Regards,

Martin

The System image file name is "flash:c2600-i-mz.120-3.T3".

I really appreciate your efforts. With my limited experience with Cisco I probably couldn't resolve this on my own.

Martin,

I setup an access-list on interface fastethernet 0/1 (192.168.1.5) allowing port 80 to be forwarded to 192.168.1.200 which is the destination of the static NAT. Each time I telnet to the NATed ip the number of matches for the access-list increases.

Any thoughts?

Martin,

I enabled NAT debugging and noticed the following. I looks like I try to connect to the proper IP address (71.125.24.85) on port 80, but I receive a response from 71.125.24.66.

Is this the reason why I am unable to connect?

3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53023] 3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6679] 3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6679] 3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53033] 3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6680] 3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6680] 3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53043] 3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6681] 3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6681]

Possibly, but probably not in this case.

Notice that when you create the connection to 71.125.24.85 port 80, from port 4226, that you get an ICMP back from the other host with respect to that outgoing port 4226. This suggests that the other end is sending either an ICMP Redirect or an ICMP Network Unavailable; ICMP port unavailable is not out of the question but is less unlikely.

71.125.24.66 and 71.125.24.85 are both within the same network block.

When I traceroute to 71.125.24.85 I see it looping at 71.125.24.66 so it seems likely that 71.125.24.66 is a router or firewall.

Ah, I just dug out some older messages from you. Your problem is that you are using the wrong netmask in some of your statements. For example, you have

access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input

but you don't want 0.0.0.28 as your netmask, because it is a bitmask, not a number of IP addresses. Your assigned block goes up to .95 so you want 0.0.0.31 as your mask; if you don't want a couple of hosts accessed, then either deny traffic to them before the permit, or else use netmasks that are based upon powers of 2, such as,

access-list 151 permit ip 71.125.24.66 0.0.0.1 whatever access-list 151 permit ip 71.125.24.68 0.0.0.3 whatever access-list 151 permit ip 71.125.24.72 0.0.0.7 whatever access-list 151 permit ip 71.125.24.80 0.0.0.15 whatever

I corrected the routing and netmask problem with my access-list, but I still can't connect to IP address 71.125.24.85 on port 80. I have three access-list configured on the router one for each of the interfaces - fa0/0 151 Internet facing, fa0/1 192 internal and NAT 101. When I attempt to connect to port 80 on .85 I matches an entry in access-list 151, but it doesn't connect.

Previously I said that a connection attempt to port 80 on .85 matched an entry on ACL 192, but I am not able to recreate this behavior.

HERE IS MY CURRENT INTERFACES AND ACLs FOR REFERENCE CT_Router1#s config ! version 12.0 ! interface FastEthernet0/0 description INTERNET FACING INTERFACE ip address 71.125.24.66 255.255.255.0 ip access-group 151 in no ip directed-broadcast ip nat outside full-duplex no cdp enable ! interface FastEthernet0/1 description INTERNAL INTERFACE VLAN 10 ip address 192.168.1.5 255.255.255.0 ip access-group 192 in no ip redirects no ip directed-broadcast ip nat inside no cdp enable ! ! ip nat inside source list 101 interface FastEthernet0/1 overload ip nat inside source static tcp 192.168.1.200 80 71.125.24.85 80 extendable ip route 0.0.0.0 0.0.0.0 71.125.24.6 ! access-list 101 remark ** DEFINES THE PRIVATE NETWORK FOR NATing ** access-list 101 permit tcp 192.168.1.0 0.0.0.255 any access-list 151 remark ***** FastEthernet 0/0 INBOUND Access-List ***** access-list 151 remark ** PETER HOME ** access-list 151 permit ip host 66.114.71.62 any access-list 151 remark ** GLOBAL INBOUND RULES ** access-list 151 remark ** ANTI-SPOOFING RULES ** access-list 151 deny ip host 0.0.0.0 any log-input access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 151 deny ip host 255.255.255.255 any log-input access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input access-list 151 remark ** ICMP RULES ** access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo-reply access-list 151 permit icmp any 71.125.24.64 0.0.0.31 administratively-prohibited access-list 151 permit icmp any 71.125.24.64 0.0.0.31 packet-too-big access-list 151 permit icmp any 71.125.24.64 0.0.0.31 traceroute access-list 151 permit icmp any 71.125.24.64 0.0.0.31 unreachable access-list 151 permit icmp any 71.125.24.64 0.0.0.31 time-exceeded access-list 151 remark ** DESKTOP APPLET SETTINGS ** access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq www access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq 4202 access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq 6501 access-list 151 remark ** NETWORK TIME PROTOCOL (NTP) SETTINGS ** access-list 151 permit udp host 204.34.198.40 eq ntp host 71.125.24.66 eq ntp access-list 151 permit udp host 204.34.198.41 eq ntp host 71.125.24.66 eq ntp access-list 151 deny ip any any log-input access-list 192 remark ***** FastEthernet 0/1 OUTBOUND Access-List

***** access-list 192 permit tcp host 192.168.1.200 any eq www access-list 192 permit tcp 192.168.1.0 0.0.0.255 any

Not on that line. But that's just anti-spoofing.

You aren't permitting any icmp there, so ping packets would not be allowed out.

Three points -

One - I documented the current behavior when attempting to connect to port 80 on NATed IP .85. I pointed out where the hits were on the ACLs so that we might be able to figure out why I haven't been able to connect to port 80 on NATed IP .85.

Two - When you wrote "Not on that line. But that's just anti-spoofing", I didn't make any changses that I know of to anti-spoofing??

Three - The ICMP reference - are you talking about ACL 192?? If so, would that affect my primary objective of forming a connection on port

80 on NATed IP .85 or would it prevent pinging the internal subnet? When I ping .85 from the Internet, I do recevie ICMP replies, but I do acknowledge that I can't ping the router from the internal network or the internal network from the router. I will modify the ACL so that I do receive replies.

Sorry for the quiet patch form myself. I have been away for a few days.

I did a bug lookup on your IOS version and it does have some NAT related problems including: 'NAT fails if CEF is enabled on the router' - try disabling CEF if you don't need it

Looking at the number of NAT bugs known is IP IOS image 120-3.T3 I would give serious thought to upgrading to a newer image.

Regards,

Martin

I checked the router and I don't believe that cef is enabled. When in 'config t' mode, I typed 'no cef' and it didn't exist.

Also I will upgrade the IOS image in a day or so. I will let you know what happens.

Thanks, Peter

When you have an access list applied to an outside interface, and that access list blocks [outside] packets whose -source- IP is one of your internal addresses, then that is "anti-spoofing". You fixed the netmask on all of your anti-spoofing lines except the one I pointed out.

Walter,

I didn't know what you were talking about until I realized that I couldn't ping the router interfaces from the router. I modified the external ACL and now I can ping. This modification also helped the NAT stuff get further, but it is still not working.

The reason that I didn't understand your comments was because I was focusing on the ACLs for the internal interface and not the external. I guess that I got myself confused.

As for the NAT problem, I have enabled dubugging on the ACL and will also install a sniffer on the server. With ACL debugging turned on I have made some progress or at lease understand the problem better.

Currently, I am trying to upgrade the IOS image to a newer revision. I have TFTP working, but when I download the image it's size is 64K while the original is 3MB.

More to come.