Solved

Cisco router 3640 and NAT

Posted on 2002-07-01
18
799 Views
Last Modified: 2008-02-01
Hi !

I have to realize an application.
This application is for connection a remote private network to the internet. On the remote site i have a subnet with private IP's 10.100.101.0/255.255.255.0, and a Cisco 3640 Router, with an ethernet address of 10.100.101.100, and an E1 (2 timeslots = 128k bandwidth) link at serial 3/1:1 with 2 timeslots(TS 1 & TS2) connecting to our offices router, the interface has the IP 192.168.1.2/255.255.255.0, in our office side we have a Cisco 7507 router and the link is connecting to the serial 1/1/1:1 (to the first 2 time slot).The IP of the serial is 192.168.1.1/255.255.255.0
The internet link is on an another serial of the Cisco 7507 (E1 - 2M).
In order to provide access to the internet i need to use the NAT feature of the Cisco router, but it seems to not working all the time. I tried to do the NAT on the remote side.
The related configurartion from the two routers:
remote side:
********************************
!
version 12.0
!
hostname CISCO_3640
!
ip subnet-zero
!
controller E1 3/1
 channel-group 1 timeslots 1-2
!
interface FastEthernet0/0
 ip address 10.100.101.100 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
interface Serial3/1:1
 ip address 192.168.1.2 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 fair-queue 64 256 0
!
ip nat pool NAT_POOL 1.1.1.81 1.1.1.95 netmask 255.255.255.240
ip nat inside source list 10 pool NAT_POOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
access-list 10 permit 10.100.101.0 0.0.0.255
********************************
our side:
********************************
!
version 12.1
!
hostname CISCO_7507
!
controller E1 1/1/0
 channel-group 1 unframed
!
controller E1 1/1/1
 channel-group 1 timeslots 1-2
!
interface Serial1/1/0:1
 ip address 2.2.2.1 255.255.255.252
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip accounting output-packets
 ip accounting precedence input
 ip accounting precedence output
 no ip route-cache cef
 no ip route-cache distributed
 ip mroute-cache
 no cdp enable
 lan-name XXXX
!
interface Serial1/1/1:1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no ip route-cache distributed
 no cdp enable
!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip route 1.1.1.80 255.255.255.240 192.168.1.2
********************************


I'm missing something ?
Any other better solution ?
Thanks in advance,
JSz.
0
Comment
Question by:szjozsef
  • 6
  • 5
  • 4
  • +1
18 Comments
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
How many people are in the office? What symptoms do you get when attempting to access the internet? If you do a "show ip nat translations" on the router are you showing a translation table? Try doing a "debug ip nat detailed" and "debug ip nat 10", where 10 is your access-list number, and see if your getting any translation errors.
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Like Mikecr said - what exactly is the problem?  Where are you having issues?

Personally, I would always NAT at the last available router if that is possible, so it would be more my style to NAT on the 7507.  Just because you are using NAT for some clients, that doesn't mean all addresses have to be translated.  Therefore, if part of your network is publicly addressed (which I am assuming is true since you are only using NAT on a remote router), you could NAT for the privately addressed network and not NAT for all others.  This keeps NAT from interfering with communication within the confines of your network.
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
mikecr and scraig84 both have good ideas. Also, look at the number of hits and misses on "show ip nat statistics".

If I was still stumped after a few days of screwing with it, I'd overload on a single address instead of a pool . . . or I'd add a policy routing statement to specify the next hop instead of using a default route statement.

Good luck.
Steve
0
 

Author Comment

by:szjozsef
Comment Utility
i figured out. Rebuild the config from the scratch and now is working.
Thank's anyway.

I give the points to the person who offers me a solution for my second problem.


In our side a have the Cisco 7507, and also i have a catalyst switch and a pix firewall.
With the help of pix/catalyst i setup a number of vlan's.
(ex. inside, outside, dmz1)

I have the 10.x.x.x IP on the inside, valid IP's on the outside (NAT), and 192.168.xx on the DMZ.
Almost anything is working fine:
  - from the inside i can access the internet (outside)
  - from the outside the dmz is accessible.
but i need to have access to some of computers using their external IP (obtained via static, or dynamic NAT) which is placed in inside network, and another placed on the dmz network. If i try to access it from the outside (internet) just working fine, but nut working from the inside network.

I can only debug using snmp traps, which say:
when i trying to access from the outside a device placed on inside or in dmz : Built inbound .... connection
BUT whhen i accesing from inside they say :
Built outbound ... connection.

And the connection never arrive on the device placed on inside.
Any solution ? or is a misconfiguration somwhere ?
(I can give the related config from the cisco devices).
But this is a base question is possible to access an internal device using their (statically assigned) external IP from an another internal device ???

JSz.

0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
If I am understanding you correctly, you want to access internal resources using outside public addresses because this is what you have setup DNS?  If I am correct, your best option is to setup DNS in a way that external clients receive public addresses for their queries and internal clients receive the private addresses for their queries.  This way you do not have scenarios of an "out and back in" nature.  You may need two DNS servers or an intelligent "split-brain" product that will serve records based on the interface that received the request.
0
 

Author Comment

by:szjozsef
Comment Utility
I know that solution using a brain split DNS setup, but this is not resolving my problem.

Is possible this type of connection or not ?
Is anybody can answer this simple question ?
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
No, it's not possible.  You should access internal hosts using their internal addresses.  Like, I said, this may cause the need for DNS modification, but there isn't a way around it that I have ever heard of.
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Im no DNS guy as this response will indicate, but isn't this the same problem that every company in the world faces when they have internet access? And don't they resolve this by having 2 DNSs with different SOAs?

Steve
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
If your accessing hosts by a live IP and a fake one, you need to have two DNS servers. One on the local area network that the local clients will look at to resolve the IP of the server in question and an external DNS server which will resolve queries to the the servers live address. This will solve your problem of accessing it by DNS name internally and externally.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:szjozsef
Comment Utility
As I said before, a splitted DNS is not resolving my problem. Not the name resolution is the problem.

The application requrires that this type of connection to be possible. And is not possible to set up to use the internal address, only valid internet adresses, and i need to use the NAT to. Is be able to answer anybody, that with Cisco equipments using NAT, this is possible ?

Thank's in advance,
JSz.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Okay, you have an application that you would like to connect to on an internal server that needs an external IP that you want to NAT, is this not correct? Are you connecting to it by name or by IP address?
0
 

Author Comment

by:szjozsef
Comment Utility
I need to connect both the client's and the server's to an internal network, using IP and there is not possible to connect by name. but clients does exists on the outside network to, and on an another "inside" (dmz) zone to. And the only possible connection should be by external addresses, because some of the clients which reside on the internat network sometimes is placed on the external network, and is not possible all the time the server's IP.

Logically, - according to NAT's functionality - , is could be possible to realize this, but on practice this is not functioning :(
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Sorry about the DNS response, I didn't read your question carefully.

So you want a device on a private network to be able to address another device on the SAME private network by its public (NAT'd) address?

I haven't given this enought thought probably, but . . . create an ACL which allows the public-to-private traffic, add a policy routing statement to route traffic back out the same interface (set interface Ethernet 1/1/1/1), and put a secondary address on the router interface and the device interface.

Steve
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Like I said - I don't believe this is possible.  First off, the PIX does not support secondary addresses.  Second, all traffic outbound from the inside should already be allowed.  Traffic inbound to the host servers from the external world (presumably an "any" statement) is already allowed.  Therefore, ACL's aren't an issue.

Aside from fixing this with DNS, you would need to publicly address the boxes in your DMZ and not perform NAT to these boxes.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 200 total points
Comment Utility
If you don't want to take my word for it, here's what Cisco says:

http://www.cisco.com/warp/public/110/pixfaq.shtml#Q15

An excerpt:

To get around this issue your inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or you must take the outside segment off the 99.99.99.x network so the router can be configured to route this packet back to the PIX.
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
I will mention that based on the info in the link provided above, you could theoretically provide a "host route" (static route masked so that it is destined to a particular host rather than a full network) to your Internet router to force it to push traffic back to the PIX for this address.  However, I have never heard of anybody getting this to work.  The best bet would be to publicly address the DMZ hosts or you could keep it using NAT but use a different public network between the PIX and the router.
0
 

Author Comment

by:szjozsef
Comment Utility
Thank you for pointing me to this web page, I will try to resolve but i don't thing it is possible in my case.

Anyway Thanky you all.


JSz.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
I could probably do what you want with a Checkpoint FW1 firewall, however at this point I would have to agree with Scraig84. If I'm not mistaken, if you try to reroute traffic back thru the PIX it is going to drop it thinking it is a spoof.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now