We help IT Professionals succeed at work.

Dialer Interface and NAT

mangia
mangia asked
on
Medium Priority
633 Views
Last Modified: 2012-06-21
Here's what I got (some stuff removed and x.x.x.x = my external IP).  All my outbound traffic is working, however requests from the Internet are failing.  So no web, email and such.  Using a "sh ip nat tran" command I can see the incoming requests being nat'ed to the internal host, but it aint connecting.  What have I missed?  Does the request-dialin have anything to do with this?

Any help would be appreciated.

!
vpdn enable
no vpdn logging
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!
interface Ethernet0 (WAN)
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1 (LAN)
 mac-address aaaa.aaaa.aaaa
 ip address 10.46.176.1 255.255.255.0
 ip nat inside
 no cdp enable
!
interface Serial0
 no ip address
 shutdown
 no cdp enable
!
interface Dialer1
 ip address x.x.x.x 255.255.255.0
 ip access-group 103 in
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxxxxxxx password 7 0876484A1D13044005
!
ip default-gateway x.x.x.x
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.46.176.4 110 x.x.x.x 110 extendable
ip nat inside destination static tcp x.x.x.x.x 80 10.46.176.4 80 extendable
ip nat inside destination static tcp 10.46.176.4 80 x.x.x.x 80 extendable
ip nat inside destination static tcp x.x.x.x 21 10.46.176.4 21 extendable
ip nat inside destination static tcp 10.46.176.4 21 x.x.x.x 21 extendable
ip nat inside destination static tcp 10.46.176.4 20 x.x.x.x.x 20 extendable
ip nat inside destination static tcp x.x.x.x 20 10.46.176.4 20 extendable
ip nat inside destination static tcp x.x.x.x 25 10.46.176.4 25 extendable
ip nat inside destination static tcp 10.46.176.4 25 x.x.x.x 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
!
logging trap errors
logging 10.46.176.3
access-list 1 permit 10.46.176.0 0.0.0.255
access-list 2 deny   any
access-list 101 permit ip 10.46.176.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit tcp any any established
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq 119 any
access-list 103 permit tcp any any eq telnet log
access-list 103 permit tcp any eq nntp any
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq smtp log
access-list 103 permit tcp any any eq pop3 log
access-list 103 permit icmp any any
access-list 103 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run

<some stuff removed>

end

Thanks
--m

Comment
Watch Question

Commented:
Hmmm - I have never seen this version of the command:

ip nat inside destination static

Although I have seen this:

ip nat inside destination list

I just went on one of my routers and don't even have the ability to put in a static destination.  Either way, generally when you are configuring a destination nat, you are configuring a load distribution or balancing scenario.  I would think that your commands would read like this:

ip nat inside source static tcp 10.46.176.4 80 x.x.x.x 80 extendable

This is how your first static nat looks, but it changes to the other form.  Is there a reason for it being that way?

Author

Commented:
scraig,

This is an undocumented nat command which worked before I had to switch to using PPPoE.  With the 1605 I have, and the IOS that supports PPPoE, you must use a dialer interface and disable IP on the ethernet.  So thats what I got.

--thanks
Commented:
So what happens if you switch it to the documented way of doing it?  I also noticed that for each port, you have the command in twice - once having the inside IP as the source, and the other the destination.  This is a bit strange as well.  Even with the dialer interface, I would think that if you were to do this in a traditional way of using inside source static commands, it would have a shot at working.

Author

Commented:
I will give it a shot.  When I first set up this router, I was having issues with the standard nat statements not working right.  So a buddy of mine, that happens to be going to an IE lab next month, helped me with the nat statements.  Since it originally worked, I never really questioned what he did, even though I didn't understand why he set up the translations going both ways.  Maybe time to get back to basics.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
If you have to dial out to send traffic using Dialer interface and pap authentication to connect, how does traffic originating on the Internet open that connection to access your web servers?

I agree that you should go with the documented commands and use nat inside source commands. It can't hurt...

Author

Commented:
lrmoore,

Your question about incoming traffic was one that I had too.  It seems since my ISP gave me a static IP, they never close the connection.  My stuff seems like its always up. Since I redid the config to "nat inside souce" it's all good.  I will award the points to scraig.

Thanks!

Author

Commented:
The third for scraig.

thanks