Solved

Gotta NAT problem (surprised?)

Posted on 2003-12-09
15
1,818 Views
Last Modified: 2007-12-19
I'm trying to host a NetMeeting in our DMZ.  All the DMZ servers have private addresses.  With a Netopia router and a single public IP, i could get it working using port translation.  Now I have 32 public's which are statically natted to the private server addresses (using a Cisco 1720) and I now it won't connect.  I know NetMeeting doesn't work with NAT, but it was working somehow with port translation and I'm wondering if there's an option I can turn on in the Cisco.  If not, are there alternatives with the address configuration?
0
Comment
Question by:Popeyediceclay
  • 8
  • 4
  • 3
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9908206
Are you doing 1-1 static NAT translations for the servers so that each server with a private IP has a unique public IP out of your pool of 32 addresses?

Do you have the firewall feature set on the router? Look for "ip inspect" in the config
Do you have any inbound access-list entries?

0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9910221
Popeyediceclay, netmeeting works well with NAT. i often use netmeeting contact with other guys all over the world, i call them, as well as they can call me behind a NAT firewall with a few specific open (forwarded) ports for netmeeting's protocols. my firewall is a linksys NAT router, with cisco you certainly can do it perfectly. how can i help you? just let me know.

cheers,
bbao
0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9915510
lrmoore,
  yes it's 1-1 static, i setup a nat pool and have the each public mapped to each private
my config looks like this: (edited for privacy)
ip nat pool Cisco1720-natpool-1 (public).66 (public).94 netmask 255.255.255.224
ip nat inside source list 1 pool Cisco1720-natpool-1 overload
ip nat inside source static 192.168.2.88 (public).88
ip nat inside source static 192.168.2.89 (public).89
ip nat inside source static 192.168.2.56 (public).67
ip nat inside source static 192.168.2.57 (public).68
ip nat inside source static 192.168.2.10 (public).94
ip nat inside source static 192.168.2.66 (public).69
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip http server

i don't see any firewall features, and no inbound access-list entries.  I can get everything else to work, like VNC, PCAW, etc..

bbao,
  Like your Linksys router, I too had it working with port translation on the Netopia but this is a different kind of NAT and I'm trying to implement a range of IP's now, originally only had one IP so it becomes a lil trickier (especially when configuring the Cisco router!!  What a pain...)

TIA
0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9915543
I think I've heard of a builtin cisco feature to enable which fixes this, called something like "nathelper?" or "iphelper?"  Sound familiar to anyone?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9915892
You may be thinking of the "fixup protocol H323" on the Cisco PIX FW.

If you have a 1-1 static nat, no firewall features enabled, and no access-list, there is no logical reason that it won't work. You would have to post your complete config (edited for protection, of course)

Unless, it is this system that you are trying to connect to:
>ip nat inside source static 192.168.2.10 (public).94 <---

(public).94 is also part of your pool and the requisite ports may already be mapped with a dynamic translation..
>ip nat pool Cisco1720-natpool-1 (public).66 (public).94 <---

0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9916843
that wasn't the host i was trying for, but i found that it can connect up but it's rare that it will succeed.  I setup a netmeeting host on my webserver and was able to connect to the host internally and externally , but I can't anymore... I might have a bad hub right there maybe, more likely i haven't correctly setup that router (im rather fresh on Cisco).  Is the router supposed to "fill up" with dynamic translations?  I clear them every once in a while but I think they make it crash now and then, yes?  I'd like to get a nice link to a "beginners guide to cisco 1700 series".
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9917108
I hate to be the bearer of bad news, but if you can connect 'sometimes' and you 'fill up' with dynamic translations, this is a classic symptom of the Welchia/MSBlaster worm....

Suggest this access-list as a temporary measure:

access-list 122 deny icmp any any echo
access-list 122 permit ip any any
!
interface Fast 0
 ip access-group 122 in
!
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9917451
Hehe, actually it was an SQL worm (port 1434) that was sending crazy outbound traffic from one of my users PC's.  But that's gone now, and I'm still 'effed'.  What will that access-list do?  Was that to stop the virus from getting through?
0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9917492
Well, here's my config, it's pretty basic.  I swapped the class B portion of the public's with 208.175 where necessary.  Also, did I setup the dhcp right?  It keep flashing errors in Hyperterminal

Using 2295 out of 29688 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco1720
!
enable password *************
!
!
!
!
!
ip subnet-zero
no ip finger
ip name-server **.**.**.**
ip name-server **.**.**.**
no ip dhcp conflict logging
ip dhcp database ftp://127.0.0.1/dhcp
ip dhcp database dhcp
ip dhcp excluded-address 192.168.2.1 192.168.2.79
ip dhcp excluded-address 192.168.2.90 192.168.2.255
!
ip dhcp pool 1
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   dns-server **.**.**.** **.**.**.**
   lease 0 1
!
!
!
!
interface Serial0
 description connected to Internet
 ip address 208.175.114.118 255.255.255.252
 ip nat outside
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
interface FastEthernet0
 description connected to EthernetLAN
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 speed auto
!
router rip
 version 2
 passive-interface Serial0
 network 192.168.2.0
 no auto-summary
!
ip nat translation max-entries 100
ip nat pool Cisco1720-natpool-1 208.175.112.66 208.175.112.94 netmask 255.255.255.224
ip nat inside source list 1 pool Cisco1720-natpool-1 overload
ip nat inside source static 192.168.2.66 208.175.112.69
ip nat inside source static 192.168.2.10 208.175.112.94
ip nat inside source static 192.168.2.57 208.175.112.68
ip nat inside source static 192.168.2.56 208.175.112.67
ip nat inside source static 192.168.2.89 208.175.112.89
ip nat inside source static 192.168.2.88 208.175.112.88
ip nat inside source static 192.168.2.87 208.175.112.87
ip nat inside source static 192.168.2.86 208.175.112.86
ip nat inside source static 192.168.2.85 208.175.112.85
ip nat inside source static 192.168.2.84 208.175.112.84
ip nat inside source static 192.168.2.83 208.175.112.83
ip nat inside source static 192.168.2.82 208.175.112.82
ip nat inside source static 192.168.2.80 208.175.112.80
ip nat inside source static 192.168.2.81 208.175.112.81
ip nat inside source static 192.168.2.9 208.175.112.66
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip http server
!
access-list 1 permit 192.168.2.0 0.0.0.255
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password ************
 login
 transport input none
line aux 0
line vty 0 4
 password ************
 login
!
end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 65 total points
ID: 9917542
I think you need to get rid of this line:

ip dhcp database ftp://127.0.0.1/dhcp

Also, if you're doing both dynamic and static nat, you should deny your statics from using the dynamic:

access-list 1 deny host 192.168.2.10
access-list 1 deny host 192.168.2.9
access-list 1 deny host 192.168.2.66
<etc>
access-list 1 permit 192.168.2.0 0.0.0.255

These are minor issues, and there is no reason for you to be experiencing the symptoms you have, except for the possibility of being infected by the worms..
The access-list was to prevent the worm from overwhelming your router cpu with translations, long enough for you to get a handle on what was going on.


0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 60 total points
ID: 9917833
Popeyediceclay, i am not sure if you have noticed what lrmoore recommended, "If you have a 1-1 static nat, no firewall features enabled, and no access-list," it is right and you'd better consider on it. to use netmeeting, you dont need 1-1 static nat with risk. as what i mentioned in my first post, just use nat with a few ports forwarding, that is enough.

just list the inbound ports you should open for netmeeting's incoming call. for outgoing calls, you dont need to open ANY inbound ports if you have NO access control for outgoing traffic.

port 1503, for T.120 (TCP)
port 1720, for H.323 call setup (TCP)
Dynamic   H.323 call control (TCP)
Dynamic   H.323 streaming [Realtime Transport Protocol (RTP) over User Datagram Protocol (UDP)]

if your cisco router support Application Mapping, it is easier than using simple acl:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfpam.htm

for more information about "How to Establish NetMeeting Connections Through a Firewall"
http://support.microsoft.com/?id=kb;en-us;158623

hope it helps,
bbao
0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9929761
It must be either the router or the switch, i think ill get a different switch and if that doesn't work ill dump the NAT and just use the public's.  Points were split.  Thanks guys
0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9929835
Oh, one last thing.  I ran a packet sniffer on the server and tried the netmeeting connection again.  The two bounced connections back and forth on port 1720, which tells me that it's translating, but the netmeeting connection was immedialtely denied anyway.  What's that tell you?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9932854
since all ports above 1024 are free to be used by applications, so it is possible that caller calls from port 1720 to another netmeeting user on port 1720. but if this keeps, even after you reboot or start other network applications, then we should study the reason.
 
0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 9932886
I'm not sure what it was bbao.  All I know is this - I swapped the hub, still no go,  I reconfig my whole router and perimeter servers to use public addresses and now EVERYTHING works great, including NetMeeting.  It had to be something I didn't know how to enable in the router or maybe it wasn't supposed to ever work with static NAT (not port translation).  The few times I got it to work with static must have been a fluke
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now