mangia
asked on
Dialer Interface and NAT
Here's what I got (some stuff removed and x.x.x.x = my external IP). All my outbound traffic is working, however requests from the Internet are failing. So no web, email and such. Using a "sh ip nat tran" command I can see the incoming requests being nat'ed to the internal host, but it aint connecting. What have I missed? Does the request-dialin have anything to do with this?
Any help would be appreciated.
!
vpdn enable
no vpdn logging
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
interface Ethernet0 (WAN)
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1 (LAN)
mac-address aaaa.aaaa.aaaa
ip address 10.46.176.1 255.255.255.0
ip nat inside
no cdp enable
!
interface Serial0
no ip address
shutdown
no cdp enable
!
interface Dialer1
ip address x.x.x.x 255.255.255.0
ip access-group 103 in
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxx password 7 0876484A1D13044005
!
ip default-gateway x.x.x.x
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.46.176.4 110 x.x.x.x 110 extendable
ip nat inside destination static tcp x.x.x.x.x 80 10.46.176.4 80 extendable
ip nat inside destination static tcp 10.46.176.4 80 x.x.x.x 80 extendable
ip nat inside destination static tcp x.x.x.x 21 10.46.176.4 21 extendable
ip nat inside destination static tcp 10.46.176.4 21 x.x.x.x 21 extendable
ip nat inside destination static tcp 10.46.176.4 20 x.x.x.x.x 20 extendable
ip nat inside destination static tcp x.x.x.x 20 10.46.176.4 20 extendable
ip nat inside destination static tcp x.x.x.x 25 10.46.176.4 25 extendable
ip nat inside destination static tcp 10.46.176.4 25 x.x.x.x 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
!
logging trap errors
logging 10.46.176.3
access-list 1 permit 10.46.176.0 0.0.0.255
access-list 2 deny any
access-list 101 permit ip 10.46.176.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit tcp any any established
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq 119 any
access-list 103 permit tcp any any eq telnet log
access-list 103 permit tcp any eq nntp any
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq smtp log
access-list 103 permit tcp any any eq pop3 log
access-list 103 permit icmp any any
access-list 103 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
<some stuff removed>
end
Thanks
--m
Any help would be appreciated.
!
vpdn enable
no vpdn logging
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
interface Ethernet0 (WAN)
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1 (LAN)
mac-address aaaa.aaaa.aaaa
ip address 10.46.176.1 255.255.255.0
ip nat inside
no cdp enable
!
interface Serial0
no ip address
shutdown
no cdp enable
!
interface Dialer1
ip address x.x.x.x 255.255.255.0
ip access-group 103 in
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxx password 7 0876484A1D13044005
!
ip default-gateway x.x.x.x
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.46.176.4 110 x.x.x.x 110 extendable
ip nat inside destination static tcp x.x.x.x.x 80 10.46.176.4 80 extendable
ip nat inside destination static tcp 10.46.176.4 80 x.x.x.x 80 extendable
ip nat inside destination static tcp x.x.x.x 21 10.46.176.4 21 extendable
ip nat inside destination static tcp 10.46.176.4 21 x.x.x.x 21 extendable
ip nat inside destination static tcp 10.46.176.4 20 x.x.x.x.x 20 extendable
ip nat inside destination static tcp x.x.x.x 20 10.46.176.4 20 extendable
ip nat inside destination static tcp x.x.x.x 25 10.46.176.4 25 extendable
ip nat inside destination static tcp 10.46.176.4 25 x.x.x.x 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
!
logging trap errors
logging 10.46.176.3
access-list 1 permit 10.46.176.0 0.0.0.255
access-list 2 deny any
access-list 101 permit ip 10.46.176.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit tcp any any established
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq 119 any
access-list 103 permit tcp any any eq telnet log
access-list 103 permit tcp any eq nntp any
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq smtp log
access-list 103 permit tcp any any eq pop3 log
access-list 103 permit icmp any any
access-list 103 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
<some stuff removed>
end
Thanks
--m
ASKER
scraig,
This is an undocumented nat command which worked before I had to switch to using PPPoE. With the 1605 I have, and the IOS that supports PPPoE, you must use a dialer interface and disable IP on the ethernet. So thats what I got.
--thanks
This is an undocumented nat command which worked before I had to switch to using PPPoE. With the 1605 I have, and the IOS that supports PPPoE, you must use a dialer interface and disable IP on the ethernet. So thats what I got.
--thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will give it a shot. When I first set up this router, I was having issues with the standard nat statements not working right. So a buddy of mine, that happens to be going to an IE lab next month, helped me with the nat statements. Since it originally worked, I never really questioned what he did, even though I didn't understand why he set up the translations going both ways. Maybe time to get back to basics.
If you have to dial out to send traffic using Dialer interface and pap authentication to connect, how does traffic originating on the Internet open that connection to access your web servers?
I agree that you should go with the documented commands and use nat inside source commands. It can't hurt...
I agree that you should go with the documented commands and use nat inside source commands. It can't hurt...
ASKER
lrmoore,
Your question about incoming traffic was one that I had too. It seems since my ISP gave me a static IP, they never close the connection. My stuff seems like its always up. Since I redid the config to "nat inside souce" it's all good. I will award the points to scraig.
Thanks!
Your question about incoming traffic was one that I had too. It seems since my ISP gave me a static IP, they never close the connection. My stuff seems like its always up. Since I redid the config to "nat inside souce" it's all good. I will award the points to scraig.
Thanks!
ASKER
The third for scraig.
thanks
thanks
ip nat inside destination static
Although I have seen this:
ip nat inside destination list
I just went on one of my routers and don't even have the ability to put in a static destination. Either way, generally when you are configuring a destination nat, you are configuring a load distribution or balancing scenario. I would think that your commands would read like this:
ip nat inside source static tcp 10.46.176.4 80 x.x.x.x 80 extendable
This is how your first static nat looks, but it changes to the other form. Is there a reason for it being that way?