DLockwood
asked on
Help needed with NAT Translations on CISCO 1720 Router
This is my first time interfacing with a Cisco product. I found configuring the router with Config Maker v2.6 was extremely easy. However, I am having a terrible time understanding how to make NAT work in the following way:
Router's Public IP is x.x.252.90/24
Usable Public IP addresses are x.x.246.129-142/28
Router's private IP address is x.x.246.129/28
(However, I have not assigned this private IP address, instead I have assigned 192.168.1.254 as my Eth0 address)
I have configuree NAT for all users on the private network 192.168.1 on Eth0. I cannot translate external IP addresses to access my Web server, Exchange Server, and FTP server on the 192.168.1 subnet. External tracert's to my public IP's assigned to internal IP's all die at my router.
Throwing the configuration GUI aside, Could I ask for assistance with exact command lines needed to create the necessary STATIC NAT configuration for translating x.x.246.130:80 to 192.168.1.2 and x.x.246.131:25 to 192.168.1.1, and still have DYNAMIC NAT translations for all 30 users.
One more thing, Would it be more advantageous to install an Ethernet WIC card (which I do have)and route all x.x.246.0 traffic through Eth1 interface, and assign the public IP addreses to a second nic card on my servers? Why or Why not? Can I still NAT my users if I did it this way?
Thank you.
Router's Public IP is x.x.252.90/24
Usable Public IP addresses are x.x.246.129-142/28
Router's private IP address is x.x.246.129/28
(However, I have not assigned this private IP address, instead I have assigned 192.168.1.254 as my Eth0 address)
I have configuree NAT for all users on the private network 192.168.1 on Eth0. I cannot translate external IP addresses to access my Web server, Exchange Server, and FTP server on the 192.168.1 subnet. External tracert's to my public IP's assigned to internal IP's all die at my router.
Throwing the configuration GUI aside, Could I ask for assistance with exact command lines needed to create the necessary STATIC NAT configuration for translating x.x.246.130:80 to 192.168.1.2 and x.x.246.131:25 to 192.168.1.1, and still have DYNAMIC NAT translations for all 30 users.
One more thing, Would it be more advantageous to install an Ethernet WIC card (which I do have)and route all x.x.246.0 traffic through Eth1 interface, and assign the public IP addreses to a second nic card on my servers? Why or Why not? Can I still NAT my users if I did it this way?
Thank you.
hmmm...I have a couple of questions.
You've been given a small block of routable, public ip addresses (x.x.246.129-142/28)
Your serial interface (connection to your isp) has an ip address of x.x.252.90/24
Your inside 'e0' interface is addressed out of private rfc1918 space (192.168.1.254/24)
So, you're trying to assign the x.x.246.129-142/28 as your NAT pool of addresses?
If this is the case, I think I know why it's failing:
The NAT pool must come from a connected network. If these routable addresses aren't configured on any of your router's interfaces, the NAT function won't let you allocate them for translations.
If you don't want to assign this address range to a physical port(e0), you can create a loopback interface to the router and assign the routable block to that interface:
router# conf t
router(config)# int loopback 0
router(config-int)# ip address x.x.246.129 255.255.255.248
router(config-int)# end
router#
You can just assign the loopback0 address as your overload address and use the rest of the address pool for your static translations.
I'm not sure where lrmoore defined the pool itself (i.e. i don't know why he denies the statically natted hosts):
ip nat pool NAT-POOL x.x.246.129 x.x.246.129 prefix-length 29
You don't have to specifically deny the statically natted hosts from the overload pool...the router just knows because you've entered the static translations. You could also probably simplify it as well by doing something like this:
ip nat inside source list 1 interface Loopback 0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
You've been given a small block of routable, public ip addresses (x.x.246.129-142/28)
Your serial interface (connection to your isp) has an ip address of x.x.252.90/24
Your inside 'e0' interface is addressed out of private rfc1918 space (192.168.1.254/24)
So, you're trying to assign the x.x.246.129-142/28 as your NAT pool of addresses?
If this is the case, I think I know why it's failing:
The NAT pool must come from a connected network. If these routable addresses aren't configured on any of your router's interfaces, the NAT function won't let you allocate them for translations.
If you don't want to assign this address range to a physical port(e0), you can create a loopback interface to the router and assign the routable block to that interface:
router# conf t
router(config)# int loopback 0
router(config-int)# ip address x.x.246.129 255.255.255.248
router(config-int)# end
router#
You can just assign the loopback0 address as your overload address and use the rest of the address pool for your static translations.
I'm not sure where lrmoore defined the pool itself (i.e. i don't know why he denies the statically natted hosts):
ip nat pool NAT-POOL x.x.246.129 x.x.246.129 prefix-length 29
You don't have to specifically deny the statically natted hosts from the overload pool...the router just knows because you've entered the static translations. You could also probably simplify it as well by doing something like this:
ip nat inside source list 1 interface Loopback 0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
I guess my other comment would be that I'd agree with lrmoore for using your public network on a separate interface of the router if you can swing it. And I also agree with lrmoore about using winders anything as a firewall (there's no differentiation between inbound vs. outbound traffic for starters). You'll have to do some thinking about what kinds of traffic you expect to see between this 'bastion host' LAN, the outside and the rest of your internal network.
I'm of the opinion that production servers that provide public services should never rely upon NAT. I look at it as one more thing to have to troubleshoot in case you've got some sort of availability issue. I've just seen too many bugs over the years with NAT. When it comes to high-availability, you wanna eliminate potential problems where you can :)
If you do go this route, you can still nat your inside users the same way to the outside and it wouldn't NAT at all from your internal e0 lan and you're bastion host lan (Eth1?) because you won't be using the 'ip nat outside' command on that routable interface.
I'm of the opinion that production servers that provide public services should never rely upon NAT. I look at it as one more thing to have to troubleshoot in case you've got some sort of availability issue. I've just seen too many bugs over the years with NAT. When it comes to high-availability, you wanna eliminate potential problems where you can :)
If you do go this route, you can still nat your inside users the same way to the outside and it wouldn't NAT at all from your internal e0 lan and you're bastion host lan (Eth1?) because you won't be using the 'ip nat outside' command on that routable interface.
The deny statements in the acl came from this document for using both dynamic and static NAT at the same time:
http://www.cisco.com/warp/public/556/9.html
http://www.cisco.com/warp/public/556/9.html
hmph...odd.
I use both static and dynamic as well and have never needed to deny nat for those statically natted hosts.
I think it's because the use of the static nat translation...When the traffic goes from inside to outside, there's already an existing translation for those statically natted hosts, so there's no need for the router to dynamically create one of the overload pool.
I use both static and dynamic as well and have never needed to deny nat for those statically natted hosts.
I think it's because the use of the static nat translation...When the traffic goes from inside to outside, there's already an existing translation for those statically natted hosts, so there's no need for the router to dynamically create one of the overload pool.
ASKER
Here is what I have done, please advise what steps I have missed.
Per both your reponses, I entered in the following commands:
# ip nat pool NAT-POOL x.x.246.129 x.x.246.142 prefix-length 28
# ip nat inside source static 192.168.1.5 x.x.246.140
# ip nat inside source static 192.168.1.1 x.x.246.131
# ip nat inside source list 1 pool NAT-POOL overload
# access-list 1 deny 192.168.1.5
# access-list 1 deny 192.168.1.1
# access-list 1 permit 192.168.1.0 0.0.0.255
When I ping the x.x.246.140 (or any other NAT address) from the internet, I receive a "TTL expired in transit error" from my ISP's default gateway.
Here is my configuration: (192.168.1.5 is my FTP server, 192.168.1.1 is my Citrix / DNS server... 192.168.1.2 will be my web server once I get this working)
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XYZ
!
no logging console
enable password 7 121E001917180517
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
no ip address
encapsulation frame-relay
service-module t1 remote-alarm-enable
service-module t1 fdl ansi
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description connected to Internet
ip address xx.xx.252.90 255.255.255.0
frame-relay interface-dlci 16 IETF
!
interface FastEthernet0
description connected to Private Network
ip address 192.168.1.253 255.255.255.0
speed auto
!
router rip
version 2
passive-interface Serial0.1
network 192.168.1.0
no auto-summary
!
ip nat pool NAT-POOL xx.xx.246.129 xx.xx.246.142 prefix-length 28
ip nat inside source list 1 pool NAT-POOL overload
ip nat inside source static 192.168.1.1 xx.xx.246.131
ip nat inside source static 192.168.1.5 xx.xx.246.140
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip route xx.xx.252.0 255.255.255.0 Serial0.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0 permanent
no ip http server
!
access-list 1 deny 192.168.1.1
access-list 1 deny 192.168.1.5
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password 7 130603135A5C5478
login
line aux 0
line vty 0 1
password 7 130603135A5C5478
login
line vty 2 4
login
!
no scheduler allocate
end
I hope this helps. Thanks for all your efforts.
Per both your reponses, I entered in the following commands:
# ip nat pool NAT-POOL x.x.246.129 x.x.246.142 prefix-length 28
# ip nat inside source static 192.168.1.5 x.x.246.140
# ip nat inside source static 192.168.1.1 x.x.246.131
# ip nat inside source list 1 pool NAT-POOL overload
# access-list 1 deny 192.168.1.5
# access-list 1 deny 192.168.1.1
# access-list 1 permit 192.168.1.0 0.0.0.255
When I ping the x.x.246.140 (or any other NAT address) from the internet, I receive a "TTL expired in transit error" from my ISP's default gateway.
Here is my configuration: (192.168.1.5 is my FTP server, 192.168.1.1 is my Citrix / DNS server... 192.168.1.2 will be my web server once I get this working)
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XYZ
!
no logging console
enable password 7 121E001917180517
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
no ip address
encapsulation frame-relay
service-module t1 remote-alarm-enable
service-module t1 fdl ansi
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description connected to Internet
ip address xx.xx.252.90 255.255.255.0
frame-relay interface-dlci 16 IETF
!
interface FastEthernet0
description connected to Private Network
ip address 192.168.1.253 255.255.255.0
speed auto
!
router rip
version 2
passive-interface Serial0.1
network 192.168.1.0
no auto-summary
!
ip nat pool NAT-POOL xx.xx.246.129 xx.xx.246.142 prefix-length 28
ip nat inside source list 1 pool NAT-POOL overload
ip nat inside source static 192.168.1.1 xx.xx.246.131
ip nat inside source static 192.168.1.5 xx.xx.246.140
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip route xx.xx.252.0 255.255.255.0 Serial0.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0 permanent
no ip http server
!
access-list 1 deny 192.168.1.1
access-list 1 deny 192.168.1.5
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password 7 130603135A5C5478
login
line aux 0
line vty 0 1
password 7 130603135A5C5478
login
line vty 2 4
login
!
no scheduler allocate
end
I hope this helps. Thanks for all your efforts.
Try adding the "extendable" tag to the static nat
ip nat inside source static 192.168.1.1 xx.xx.246.131 extendable
ip nat inside source static 192.168.1.5 xx.xx.246.140 extendable
Are you sure your ISP has a route established to your nat pool? You can test by assigning a loopback interface one of the addresses, and try to ping it from the outside. If not successful, it could be a routing issue.
Suggest removing the two "permanent" route statements. These routes are connected and so these statements are redundent and I've seen some odd behavior with this setup.
Are you sure about the subnet mask on the serial interface? We normally see 255.255.255.252 and not a full class C on an internet-facing interface.
ip nat inside source static 192.168.1.1 xx.xx.246.131 extendable
ip nat inside source static 192.168.1.5 xx.xx.246.140 extendable
Are you sure your ISP has a route established to your nat pool? You can test by assigning a loopback interface one of the addresses, and try to ping it from the outside. If not successful, it could be a routing issue.
Suggest removing the two "permanent" route statements. These routes are connected and so these statements are redundent and I've seen some odd behavior with this setup.
Are you sure about the subnet mask on the serial interface? We normally see 255.255.255.252 and not a full class C on an internet-facing interface.
I wouldn't have the statically assigned nat translations included in your overload pool.
# ip nat pool NAT-POOL x.x.246.129 x.x.246.142 prefix-length 28
# ip nat inside source static 192.168.1.5 x.x.246.140
# ip nat inside source static 192.168.1.1 x.x.246.131
You can actually use a pretty darn small pool for the outbound NAT. Unless you're providing nat translations for hundreds of folks a couple addresses should suffice:
Try something like this:
ip nat pool NAT-POOL x.x.246.129 x.x.246.130 prefix-length 28
If you really need more addresses than two for your dynamic pool, I'd assign the static NAT translations from the top of your routable allocation and use the ones at the bottom for your dynamic translations.
You also don't seem to have configured this routable pool on any of your interfaces either as I had mentioned previously. You must have your NAT pool addresses configured on one of the connected router interfaces in order for the router to be able to allocate them. This is most likely the main reason for your NAT failure.
Try this:
!
int loopback0
ip address x.x.246.129 255.255.255.240
end
!
This way your router actually has the ip addresses to allocate to the nat pool :)
Right after you try pinging, tracerouting, httping from your inside hosts, try the following to see if things are working the way you like:
router> show ip nat translations
and
router> show ip nat statistics
If NAT is working properly, you'll see the table fill nicely. If you're still having problems, it might be the isp's route to your public addresses is hosed as lrmoore suggested.
Test by tracing to one of these addresses from some public route-server, like route-server.ip.att.net (telnet to it) and run a trace from there.
# ip nat pool NAT-POOL x.x.246.129 x.x.246.142 prefix-length 28
# ip nat inside source static 192.168.1.5 x.x.246.140
# ip nat inside source static 192.168.1.1 x.x.246.131
You can actually use a pretty darn small pool for the outbound NAT. Unless you're providing nat translations for hundreds of folks a couple addresses should suffice:
Try something like this:
ip nat pool NAT-POOL x.x.246.129 x.x.246.130 prefix-length 28
If you really need more addresses than two for your dynamic pool, I'd assign the static NAT translations from the top of your routable allocation and use the ones at the bottom for your dynamic translations.
You also don't seem to have configured this routable pool on any of your interfaces either as I had mentioned previously. You must have your NAT pool addresses configured on one of the connected router interfaces in order for the router to be able to allocate them. This is most likely the main reason for your NAT failure.
Try this:
!
int loopback0
ip address x.x.246.129 255.255.255.240
end
!
This way your router actually has the ip addresses to allocate to the nat pool :)
Right after you try pinging, tracerouting, httping from your inside hosts, try the following to see if things are working the way you like:
router> show ip nat translations
and
router> show ip nat statistics
If NAT is working properly, you'll see the table fill nicely. If you're still having problems, it might be the isp's route to your public addresses is hosed as lrmoore suggested.
Test by tracing to one of these addresses from some public route-server, like route-server.ip.att.net (telnet to it) and run a trace from there.
ASKER
Apparently, this configuration is over my head. I still cannot get Nat to translate to an internal IP following your commands.
However, due to a crisis, I was forced to assign xx.xx.146.129/28 to the internal interface, and put my web servers on this segment.
I have opened the firewall on the router to allow all services to pass through.
I know this is not how it is going to stay, but I need to have the original goal of NAT Translations configured. Is it possible to contact you directly for assistance?
Thank you.
However, due to a crisis, I was forced to assign xx.xx.146.129/28 to the internal interface, and put my web servers on this segment.
I have opened the firewall on the router to allow all services to pass through.
I know this is not how it is going to stay, but I need to have the original goal of NAT Translations configured. Is it possible to contact you directly for assistance?
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I would like to add, it turns out the router configuration wasn't the sole issue with my configuration. My web server, even though I was changing the default gateway, had a static route mapped pointing it to the previous DSL modem. This was the reason for my failure, frustration, and confussion. After deleting all the static gateway mappings on the server, STATIC NAT TRANSLATIONS began to work.
Thank you very much for your assistance.
Thank you very much for your assistance.
You could put your publicly accessible servers on another Ethernet port to create a "DMZ" and let the router control access between this DMZ port and the internal network.
Do you know if you have the firewall feature set on your router?
inbound static nat is fairly simple:
ip nat inside source static 192.168.1.15 x.x.246.130
ip nat inside source static 192.168.1.16 x.x.246.131
And on your access list for your nat pool, you need to exclude these statically assigned hosts, i.e.
ip nat inside source list 1 pool NAT-POOL overload
access-list 1 deny 192.168.1.15
access-list 1 deny 192.168.1.16
access-list 1 permit 192.168.1.0 0.0.0.255