Gotta NAT problem (surprised?)

I'm trying to host a NetMeeting in our DMZ.  All the DMZ servers have private addresses.  With a Netopia router and a single public IP, i could get it working using port translation.  Now I have 32 public's which are statically natted to the private server addresses (using a Cisco 1720) and I now it won't connect.  I know NetMeeting doesn't work with NAT, but it was working somehow with port translation and I'm wondering if there's an option I can turn on in the Cisco.  If not, are there alternatives with the address configuration?
LVL 3
PopeyediceclayAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Are you doing 1-1 static NAT translations for the servers so that each server with a private IP has a unique public IP out of your pool of 32 addresses?

Do you have the firewall feature set on the router? Look for "ip inspect" in the config
Do you have any inbound access-list entries?

0
bbaoIT ConsultantCommented:
Popeyediceclay, netmeeting works well with NAT. i often use netmeeting contact with other guys all over the world, i call them, as well as they can call me behind a NAT firewall with a few specific open (forwarded) ports for netmeeting's protocols. my firewall is a linksys NAT router, with cisco you certainly can do it perfectly. how can i help you? just let me know.

cheers,
bbao
0
PopeyediceclayAuthor Commented:
lrmoore,
  yes it's 1-1 static, i setup a nat pool and have the each public mapped to each private
my config looks like this: (edited for privacy)
ip nat pool Cisco1720-natpool-1 (public).66 (public).94 netmask 255.255.255.224
ip nat inside source list 1 pool Cisco1720-natpool-1 overload
ip nat inside source static 192.168.2.88 (public).88
ip nat inside source static 192.168.2.89 (public).89
ip nat inside source static 192.168.2.56 (public).67
ip nat inside source static 192.168.2.57 (public).68
ip nat inside source static 192.168.2.10 (public).94
ip nat inside source static 192.168.2.66 (public).69
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip http server

i don't see any firewall features, and no inbound access-list entries.  I can get everything else to work, like VNC, PCAW, etc..

bbao,
  Like your Linksys router, I too had it working with port translation on the Netopia but this is a different kind of NAT and I'm trying to implement a range of IP's now, originally only had one IP so it becomes a lil trickier (especially when configuring the Cisco router!!  What a pain...)

TIA
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

PopeyediceclayAuthor Commented:
I think I've heard of a builtin cisco feature to enable which fixes this, called something like "nathelper?" or "iphelper?"  Sound familiar to anyone?
0
lrmooreCommented:
You may be thinking of the "fixup protocol H323" on the Cisco PIX FW.

If you have a 1-1 static nat, no firewall features enabled, and no access-list, there is no logical reason that it won't work. You would have to post your complete config (edited for protection, of course)

Unless, it is this system that you are trying to connect to:
>ip nat inside source static 192.168.2.10 (public).94 <---

(public).94 is also part of your pool and the requisite ports may already be mapped with a dynamic translation..
>ip nat pool Cisco1720-natpool-1 (public).66 (public).94 <---

0
PopeyediceclayAuthor Commented:
that wasn't the host i was trying for, but i found that it can connect up but it's rare that it will succeed.  I setup a netmeeting host on my webserver and was able to connect to the host internally and externally , but I can't anymore... I might have a bad hub right there maybe, more likely i haven't correctly setup that router (im rather fresh on Cisco).  Is the router supposed to "fill up" with dynamic translations?  I clear them every once in a while but I think they make it crash now and then, yes?  I'd like to get a nice link to a "beginners guide to cisco 1700 series".
0
lrmooreCommented:
I hate to be the bearer of bad news, but if you can connect 'sometimes' and you 'fill up' with dynamic translations, this is a classic symptom of the Welchia/MSBlaster worm....

Suggest this access-list as a temporary measure:

access-list 122 deny icmp any any echo
access-list 122 permit ip any any
!
interface Fast 0
 ip access-group 122 in
!
0
PopeyediceclayAuthor Commented:
Hehe, actually it was an SQL worm (port 1434) that was sending crazy outbound traffic from one of my users PC's.  But that's gone now, and I'm still 'effed'.  What will that access-list do?  Was that to stop the virus from getting through?
0
PopeyediceclayAuthor Commented:
Well, here's my config, it's pretty basic.  I swapped the class B portion of the public's with 208.175 where necessary.  Also, did I setup the dhcp right?  It keep flashing errors in Hyperterminal

Using 2295 out of 29688 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco1720
!
enable password *************
!
!
!
!
!
ip subnet-zero
no ip finger
ip name-server **.**.**.**
ip name-server **.**.**.**
no ip dhcp conflict logging
ip dhcp database ftp://127.0.0.1/dhcp
ip dhcp database dhcp
ip dhcp excluded-address 192.168.2.1 192.168.2.79
ip dhcp excluded-address 192.168.2.90 192.168.2.255
!
ip dhcp pool 1
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   dns-server **.**.**.** **.**.**.**
   lease 0 1
!
!
!
!
interface Serial0
 description connected to Internet
 ip address 208.175.114.118 255.255.255.252
 ip nat outside
 encapsulation ppp
 service-module t1 remote-alarm-enable
!
interface FastEthernet0
 description connected to EthernetLAN
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 speed auto
!
router rip
 version 2
 passive-interface Serial0
 network 192.168.2.0
 no auto-summary
!
ip nat translation max-entries 100
ip nat pool Cisco1720-natpool-1 208.175.112.66 208.175.112.94 netmask 255.255.255.224
ip nat inside source list 1 pool Cisco1720-natpool-1 overload
ip nat inside source static 192.168.2.66 208.175.112.69
ip nat inside source static 192.168.2.10 208.175.112.94
ip nat inside source static 192.168.2.57 208.175.112.68
ip nat inside source static 192.168.2.56 208.175.112.67
ip nat inside source static 192.168.2.89 208.175.112.89
ip nat inside source static 192.168.2.88 208.175.112.88
ip nat inside source static 192.168.2.87 208.175.112.87
ip nat inside source static 192.168.2.86 208.175.112.86
ip nat inside source static 192.168.2.85 208.175.112.85
ip nat inside source static 192.168.2.84 208.175.112.84
ip nat inside source static 192.168.2.83 208.175.112.83
ip nat inside source static 192.168.2.82 208.175.112.82
ip nat inside source static 192.168.2.80 208.175.112.80
ip nat inside source static 192.168.2.81 208.175.112.81
ip nat inside source static 192.168.2.9 208.175.112.66
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip http server
!
access-list 1 permit 192.168.2.0 0.0.0.255
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password ************
 login
 transport input none
line aux 0
line vty 0 4
 password ************
 login
!
end
0
lrmooreCommented:
I think you need to get rid of this line:

ip dhcp database ftp://127.0.0.1/dhcp

Also, if you're doing both dynamic and static nat, you should deny your statics from using the dynamic:

access-list 1 deny host 192.168.2.10
access-list 1 deny host 192.168.2.9
access-list 1 deny host 192.168.2.66
<etc>
access-list 1 permit 192.168.2.0 0.0.0.255

These are minor issues, and there is no reason for you to be experiencing the symptoms you have, except for the possibility of being infected by the worms..
The access-list was to prevent the worm from overwhelming your router cpu with translations, long enough for you to get a handle on what was going on.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantCommented:
Popeyediceclay, i am not sure if you have noticed what lrmoore recommended, "If you have a 1-1 static nat, no firewall features enabled, and no access-list," it is right and you'd better consider on it. to use netmeeting, you dont need 1-1 static nat with risk. as what i mentioned in my first post, just use nat with a few ports forwarding, that is enough.

just list the inbound ports you should open for netmeeting's incoming call. for outgoing calls, you dont need to open ANY inbound ports if you have NO access control for outgoing traffic.

port 1503, for T.120 (TCP)
port 1720, for H.323 call setup (TCP)
Dynamic   H.323 call control (TCP)
Dynamic   H.323 streaming [Realtime Transport Protocol (RTP) over User Datagram Protocol (UDP)]

if your cisco router support Application Mapping, it is easier than using simple acl:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfpam.htm

for more information about "How to Establish NetMeeting Connections Through a Firewall"
http://support.microsoft.com/?id=kb;en-us;158623

hope it helps,
bbao
0
PopeyediceclayAuthor Commented:
It must be either the router or the switch, i think ill get a different switch and if that doesn't work ill dump the NAT and just use the public's.  Points were split.  Thanks guys
0
PopeyediceclayAuthor Commented:
Oh, one last thing.  I ran a packet sniffer on the server and tried the netmeeting connection again.  The two bounced connections back and forth on port 1720, which tells me that it's translating, but the netmeeting connection was immedialtely denied anyway.  What's that tell you?
0
bbaoIT ConsultantCommented:
since all ports above 1024 are free to be used by applications, so it is possible that caller calls from port 1720 to another netmeeting user on port 1720. but if this keeps, even after you reboot or start other network applications, then we should study the reason.
 
0
PopeyediceclayAuthor Commented:
I'm not sure what it was bbao.  All I know is this - I swapped the hub, still no go,  I reconfig my whole router and perimeter servers to use public addresses and now EVERYTHING works great, including NetMeeting.  It had to be something I didn't know how to enable in the router or maybe it wasn't supposed to ever work with static NAT (not port translation).  The few times I got it to work with static must have been a fluke
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.