Trying to configure NAT/PAT after reading several articles - WHAT am I missing?

All,

The IOS upgrade was successful. It took me a while because I had to troubleshoot some hardware related errors. The system is now running 'boot system flash:c2600-ik9s-mz.122-31'.

Back tracking - I've configured a static NAT between 192.168.1.200 and

71.125.24.85. I enabled debugging on the ACL and NAT. I then attempted to telnet to the NATed IP and received the following console output:

02:02:01: NAT: o: tcp (66.114.71.62, 3702) -> (71.125.24.85, 80) [31798]

02:02:01: NAT: s=66.114.71.62, d=71.125.24.85->192.168.1.200 [31798] 02:02:01: IP: tableid=0, s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200 (FastEthernet0/1), routed via RIB 02:02:01: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200 (FastEthernet0/1), g=192.168.1.200, len 48, forward 02:02:01: TCP src=3702, dst=80, seq=3315073881, ack=0, win=16384 SYN 02:02:04: NAT: o: tcp (66.114.71.62, 3702) -> (71.125.24.85, 80) [31825] 02:02:04: NAT: s=66.114.71.62, d=71.125.24.85->192.168.1.200 [31825] 02:02:04: IP: tableid=0, s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200 (FastEthernet0/1), routed via RIB 02:02:04: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200 (FastEthernet0/1), g=192.168.1.200, len 48, forward 02:02:04: TCP src=3702, dst=80, seq=3315073881, ack=0, win=16384 SYN 02:02:10: NAT: o: tcp (66.114.71.62, 3702) -> (71.125.24.85, 80) [31865] 02:02:10: NAT: s=66.114.71.62, d=71.125.24.85->192.168.1.200 [31865] 02:02:10: IP: tableid=0, s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200 (FastEthernet0/1), routed via RIB 02:02:10: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200 (FastEthernet0/1), g=192.168.1.200, len 48, forward 02:02:10: TCP src=3702, dst=80, seq=3315073881, ack=0, win=16384 SYN

I don't some research and it talks about a possible routing loop. My internal ACL permit ip and icmp any any while my external ACL only permits my home IP.

DOES ANYONE HAVE ANY SUGGESTIONS?

Are you still running "ip access-group 192 in" on "interface FastEthernet0/1? It may be worth removing the access-group statement from the interface as it is pretty redundant anyway.

The output of your debug implies one of two things, an incorrect gateway on

192.168.1.200 or an ACL blocking its response.

Regards,

Martin

Martin,

Good to see that you are still listening. Thanks.

Moving along, it seems that I was confused about the type of NATing that I needed to implement. I need to setup a group of static NATs so that we can connect to different services running on the same server i.e., 71.125.24.85 running ports 80, 4202 and 6501. I don't need PAT.

Also I removed ACL 192 from the internal interface and everything is working as expected. As for your assumptions, the server(s) are connected to two networks and the default route is 192.168.2.1 not

192.168.1.5 (routers fa 0/1 internal interface). We have a persistent route via 1.5 for network 71.125.24.0 and I verified that it works with tracert. ACL BLOCKING ITS RESPONSE - I removed all of the 'ip access-group' entries from the interface(s) and still couldn't connet to the NATed IP, but could telnet to the router from anywhere.

Now I have a few questions/comments.

I can telnet from the router to the IP address referenced by the NAT

192.168.1.200:80 I can ping the routers external interface from the Internet, but not the NATed IP .85. I can ping the routers NATed IP and the external interface from the internal network.

Lastly, I have attached a subset of my current startup-config file for your review

version 12.2 boot system flash:c2600-ik9s-mz.122-31 INTERFACE FASTETHERNET0/0 description FISO BUSINESS OUTSIDE ip address 71.125.24.66 255.255.255.0 ip access-group 151 in ip nat outside INTERFACE FASTETHERNET0/1 description FISO BUSINESS INSIDE ip address 192.168.1.5 255.255.255.0 ip access-group 193 out ip nat inside

ip nat inside source static 192.168.1.200 71.125.24.85 ip route 0.0.0.0 0.0.0.0 71.125.24.1

ACCESS-LIST 151 REMARK ***** FE 0/0 FIOS BUSINESS EXTERNAL INBOUND CONNECTION ***** access-list 151 permit ip host 66.114.71.62 any access-list 151 remark ** Anti-Spoofing Rules ** access-list 151 deny ip host 0.0.0.0 any log-input access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 151 deny ip host 255.255.255.255 any log-input access-list 151 remark ** ICMP Rules ** access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo-reply access-list 151 permit icmp any 71.125.24.64 0.0.0.31 administratively-prohibited access-list 151 permit icmp any 71.125.24.64 0.0.0.31 packet-too-big access-list 151 permit icmp any 71.125.24.64 0.0.0.31 traceroute access-list 151 permit icmp any 71.125.24.64 0.0.0.31 unreachable access-list 151 permit icmp any 71.125.24.64 0.0.0.31 time-exceeded access-list 151 remark ** Desktop Applet Settings ** access-list 151 permit tcp any host 71.125.24.85 eq 80 access-list 151 permit tcp any host 71.125.24.85 eq 4202 access-list 151 permit tcp any host 71.125.24.85 eq 6501 access-list 151 deny ip any any log-input ACCESS-LIST 193 REMARK ** FIOS BUSINESS OUTBOUND FROM SERVERS ** access-list 193 permit icmp any any access-list 193 permit ip any any

Martin,

I was thinking about your assumption that I had a routing problem and realized that I could reconfigure the server for testing.

In order to test I reconfigured one of my server's default route to point to the FIOS Business network (192.168.1.5) and added a 'ip nat source static 192.168.1.125 71.125.24.86' to the router. I then tried to telnet to the NATed IP .86 and I was able to connect.

I will test more tomorrow, but if test go well I will have to figure out how to set the server's routes such that it uses Internet connection HOME for outbound traffic and Internet connection BUSINESS for inbound traffic. The HOME connection's outbound speed is greater than the BUSINESS connection's. The reverse is true for the inbound traffic.

I will let you know how things pan out.

Excellent, sounds like a solution may be on the horizon. Let me know how it pans out.

You may need to use policy based routing to achieve what you want, i.e. if the traffic is from a certain subnet or IP then set the next hop as the router IP that you want to sent it via.

Regards,

Martin

Again I misunderstood my business objective. The HOME network will be used to talk to our production environment and the BUSINESS network will be used to talk to our clients.

Once I fully understood my objectives, I switched the default route to the BUSINESS NATed network and added a persistent route to the HOME network.

IT APPEARS THAT THINGS ARE WORKING PROPERLY NOW.

In summary I experience ROUTING and ACL problems and didn't fully understand the objective(s).

Thanks to all especially Martin.