Weird NAT/Routing Issue.

I'm hoping that someone on here will be able to tell me that I'm specifically doing something wrong with my configurations on assist me with seeing the light. Alternately any assistance in helping me to determine a direction to go with troubleshooting would also be appreciated.

We have several different clients where we have installed Cisco routers utilizing NAT to connect their network to their ISP. In most of the cases we are recieving public IP's in two different subnets from the provider. One IP address configured in a /30 as the router inteface IP, and an additional routed IP subnet of public IP's assigned for use on our network. Most of the routers that we have in place are working just fine with the configuration that I have on them, however in one specific instance we are having a weird issue. The relevant portion of the configuration looks similar to the following.

interface FastEthernet0 ip address 192.168.3.2 255.255.255.0 ip nat inside no ip redirects no ip mask-reply no ip proxy-arp no shutdown exit

interface Ethernet0 ip address x.x.210.21 255.255.254.0 ip nat outside arp timeout 3600 no cdp enable no ip redirects no ip mask-reply no ip proxy-arp no shutdown exit

ip nat pool ISPNATPool x.x.212.50 x.x.212.50 prefix-length 29 ip nat inside source list 1 pool ISPNATPool overload ip nat inside source static 192.168.3.9 x.x.212.51 ip nat inside source static 192.168.2.14 x.x.212.53 ip nat inside source static tcp 192.168.3.226 x.x.212.49 ip nat inside source static tcp 192.168.3.36 5671 x.x.212.52 5671 extendable ip nat inside source static udp 192.168.3.36 5672 x.x.212.52 5672 extendable ip nat inside source static tcp 192.168.3.37 5681 x.x.212.52 5681 extendable ip nat inside source static udp 192.168.3.37 5682 x.x.212.52 5682 extendable ip nat inside source static tcp 192.168.3.38 5691 x.x.212.52 5691 extendable ip nat inside source static udp 192.168.3.38 5692 x.x.212.52 5692 extendable ip nat inside source static tcp 192.168.3.39 5711 x.x.212.52 5711 extendable ip nat inside source static udp 192.168.3.39 5712 x.x.212.52 5712 extendable access-list 1 permit 192.168.3.0 0.0.0.255

The problem that we experience is that we will not be able to connect to the static NAT'd hosts unless they have first established some type of connection outbound. For example 192.168.3.226 is a windows 2000 running Terminal services for remote administration. If I attempt to connect to that machine from the internet using terminal services right now my connection will fail. However if I have someone go to the server from the LAN and simply ping one IP address on the internet so that there is outbound traffic from the machine, then I can connect to it from the internet just fine for some amount of time. Then after no connection is made it's like it times out and I won't be able to connect again without generating outbound traffic.

The internet connection is established through a WISP, where their Wireless Radios all do Bridging rather than routing, and they have a linux box in place as a router on their end of the Wireless link that supposedly has a route in place to route the x.x.212.48/29 subnet to our main router interface IP of x.x.210.21. I at first suspected some type of ARP timeout on their network. However I worked with their technician yesterday and during the period of time where I was able to connect to the machine he was looking through all the ARP tables in their relevant equipment and never found any entires for the x.x.212.39 address that the machine is NAT'd to. Similar things happen on the x.x.212.52 address that is NAT'd to several different machines on specific ports.

Any clues?

Thanks

Jonathan

Reply to
Jonathan Haase
Loading thread data ...

Try using "ip nat outside source static" instead. Here is a good summary:

When the packet travels from outside to inside, translation occurs first, and then the routing table is checked for the destination. When the packet travels from inside to outside, the routing table is checked for the destination first, and then translation occurs. Refer to NAT Order of Operation for further information.

It is important to note which part of the IP packet gets translated when using each of the commands this documen discusses. This table contains a guideline:

ip nat outside source static

  • Translates the source of the IP packets that travel outside to inside. * Translates the destination of the IP packets that travel inside to outside.

ip nat inside source static

  • Translates the source of IP packets that travel inside to outside. * Translates the destination of the IP packets that travel outside to inside.

These guidelines indicate that there is more than one way to translate a packet. Based on your specific needs, you should determine how to define the NAT interfaces (inside or outside) and what routes the routing table should contain before or after translation. Keep in mind that the portion of the packet that is translated depends upon the direction the packet travels, and how you configure NAT.

formatting link
Doan

Reply to
Doan

Based on your summary however the ip nat inside source static is exactly what I want in this case.

I don't want to translate the source of packets from outside to inside, or the destination from inside to outside. I want to translate the destination of packets from outside to inside. Thus from your summary of ip nat inside source static. This is exactly what I'm looking for and it does indeed work correctly in 99% of our installs.

Reply to
Jonathan Haase

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.