Solved

NAT and port access

Posted on 2004-08-21
30
542 Views
Last Modified: 2011-09-20
I have some remote ip phones offsite.  I am having trouble connecting through the router to the phone system.  
The port range is crazy for the phones.  what can I add to my config to allow the phone to coonect?  a new ACL, if so what?  Really need help as I am stuck.

Here is part of my config


!
ip nat inside source list 123 interface Serial0 overload
ip nat inside source static tcp 192.168.0.30 1024 216.x.x.x 1024 extendable
ip nat inside source static tcp 192.168.0.30 1025 216.x.x.x 1025 extendable
ip nat inside source static tcp 192.168.0.30 1026 216.x.x.x 1026 extendable
ip nat inside source static tcp 192.168.0.30 1027 216.x.x.x 1027 extendable
ip nat inside source static tcp 192.168.0.30 1028 216.x.x.x 1028 extendable
ip nat inside source static tcp 192.168.0.30 1029 216.x.x.x 1029 extendable
ip nat inside source static tcp 192.168.0.30 1030 216.x.x.x 1030 extendable
ip nat inside source static tcp 192.168.0.30 1031 216.x.x.x 1031 extendable
ip nat inside source static tcp 192.168.0.30 1032 216.x.x.x 1032 extendable
ip nat inside source static tcp 192.168.0.30 1033 216.x.x.x 1033 extendable
ip nat inside source static tcp 192.168.0.30 1034 216.x.x.x 1034 extendable
ip nat inside source static tcp 192.168.0.30 1035 216.x.x.x 1035 extendable
ip nat inside source static tcp 192.168.0.30 1036 216.x.x.x 1036 extendable
ip nat inside source static tcp 192.168.0.30 1037 216.x.x.x 1037 extendable
ip nat inside source static tcp 192.168.0.30 1038 216.x.x.x 1038 extendable
ip nat inside source static tcp 192.168.0.30 1039 216.x.x.x 1039 extendable
ip nat inside source static tcp 192.168.0.30 1040 216.x.x.x 1040 extendable
ip nat inside source static tcp 192.168.0.30 1719 216.x.x.x 1719 extendable
ip nat inside source static tcp 192.168.0.30 1720 216.x.x.x 1720 extendable
ip nat inside source static tcp 192.168.0.30 6100 216.x.x.x 6100 extendable

ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
ip http authentication local
ip http secure-server
!
!
!
logging trap debugging
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 110 deny   ip 192.168.0.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 110 deny   ip host 192.168.0.205 any
access-list 110 deny   ip host 192.168.0.30 any
access-list 110 deny   ip host 192.168.0.31 any
access-list 110 deny   ip host 192.168.0.2 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 permit ip host 192.168.0.2 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.205 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.30 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.31 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.2 172.168.1.0 0.0.0.255

no cdp run
!
route-map nonat1 permit 10
 match ip address 123
 set ip next-hop 1.1.1.2
!
route-map nonat permit 10
 match ip address 110
!
0
Comment
Question by:tangofniro
  • 17
  • 13
30 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Are you connecting to the phone system through the Internet? Leased line? VPN?

Is your phone system 192.168.0.30?  If through the Internet, do you have a second public IP address available to do a one to one NAT for the phone system instead of trying to port forward numerous ports?
0
 

Author Comment

by:tangofniro
Comment Utility
I connect back to the phone switch via the internet.  The phone system is 192.168.0.30.  I do have an ip I could use instead of the port forwarding.  I tried it but it did not work either.  Could be in my config.   If I need to go back to the NAT I will gladly do that.  the PAT would just a feeble attempt.


thanks
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
As well as the static NAT, are you permitting the necessary ports in an access-list? What access-list do you have applied on your Serial0 interface?

To rule out an access-list, you could add the following to the top of the access-list applied inbound on your Serial0 interface:

access-list x permit ip any host 216.x.x.x  <---use the public IP address of the static NAT assigned to the phone system.

Use it as a temporary test as it leaves your system wide open.
0
 

Author Comment

by:tangofniro
Comment Utility
The access list I have are they ones you see in my config.

I will add access-list x permit ...   and see if thats works.

I will not be able to test the phone until tonight.


Any other thoughts if this does not work?

Thank you so much for your help.

will
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
I see your access-lists but you didn't post your Serial0 interface configuration so I can't see what list number is applied to that interface.  Which access-list number is applied on your Serial0 interface?
0
 

Author Comment

by:tangofniro
Comment Utility
Here is what I have now.
I could have something screwed up though.



interface FastEthernet0
 description $FW_INSIDE$$ETH-LAN$
 
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 no ip route-cache
 ip tcp adjust-mss 1380
 ip policy route-map nonat1
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet1
 switchport mode trunk
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet3
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet4
 no ip address
 shutdown
 no cdp enable
!
interface Serial0
 description USLEC T1
 ip address 199.x.x.x 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map rpvpn
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
ip nat inside source list 123 interface Serial0 overload
ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source static 192.168.0.30 216.x.x.x extendable
ip nat inside source static 192.168.0.31 216.x.x.x extendable
ip nat inside source static 192.168.0.205 216.x.x.x extendable
ip nat inside source static 192.168.0.2 216.x.x.x extendable
ip classless
ip route 0.0.0.0 0.0.0.0 199.x.x.x
no ip http server
ip http authentication local
ip http secure-server
!
!
!
logging trap debugging
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 110 deny   ip 192.168.0.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 110 deny   ip host 192.168.0.205 any
access-list 110 deny   ip host 192.168.0.30 any
access-list 110 deny   ip host 192.168.0.31 any
access-list 110 deny   ip host 192.168.0.2 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 permit ip host 192.168.0.2 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.205 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.30 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.31 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.2 172.168.1.0 0.0.0.255
access-list 123 permit ip any host 216.x.x.x
no cdp run
!
route-map nonat1 permit 10
 match ip address 123
 set ip next-hop 1.1.1.2
!
route-map nonat permit 10
 match ip address 110
!
!
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
I know I've asked this before, but just for clarification, is the phone on the Internet, or is it at a remote site connected by your VPN through the Internet?
0
 

Author Comment

by:tangofniro
Comment Utility
the phone is through the internet.  I have a bunch of phone at a remote site connected and working via a VPN, but this phone is just going through the net no VPN.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
In that case, all you should need is the static NAT for the phone to reach the phone system.  On the other end, where the phone resides, is it behind a NAT device also?  If connections are being initiated from the phone system to the phone, port forwarding or a static NAT will need to be used on that end as well.
0
 

Author Comment

by:tangofniro
Comment Utility
I tried the static nat to begin with to no avail.  That is why I tried to use PAT.  Are you sure that the static NAT is all I need?   I will try the acl allow all when I get to the phone tonight.  
The phone is plugged directly to a cable modem.  The phone switch can see the phone trying to connect but no audio.   I have to imagine that some ports are being blocked by my router just don't know why.

thanks,
will
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Okay, use the static NAT and try the access-list mentioned to see if it works.  If it does, you can get more restrictive on the ports allowed.

access-list 130 permit ip any host 216.x.x.x
access-list 130 permit ip any any

interface serial0
ip access-group 130 in
0
 

Author Comment

by:tangofniro
Comment Utility
OK will try these tonight.  I will let you know.
Thanks for the help.
0
 

Author Comment

by:tangofniro
Comment Utility
tried it, I can connect to the phone system, I can hear people and place calls, but they can not hear me.  Any more suggestions?

I added acces-list 123 ip any host 216.x.x.x    to my config.  I did not add


int s0
ip access-group 123 in

Had it in for a bit but pulled it.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
You did not add:

int s0
ip access-group 123 in

Is that right?  Without adding that, the access-list you created is useless.

Also, make sure to add a second line to access-list 123 for testing purposes:

access-list 123 permit ip any any

This will allow all other traffic to flow as well.

Not sure what else to try if all traffic is making it through the router to the phone system.
0
 

Author Comment

by:tangofniro
Comment Utility
Are you sure adding the acl to the s0 int will not affect my current ones.  I don't want to screw up my vpn.
I will try though.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Yes, as long as you add the "access-list 123 permit ip any any" after your first statement it won't affect it.  If something happens, use the "no ip access-group 123 in" command on the interface to remove it.
0
 

Author Comment

by:tangofniro
Comment Utility
I added the commands while I was here but it shut down my internet connection for anything not nat'd.  Anything that I had tied to a outside ip could still get out but my Lan traffic was blocked from the net.
0
 

Author Comment

by:tangofniro
Comment Utility
Tried it again when the command   access-list 123 permit ip any any   is added  I can not get out to the internet.

Any suggestions?
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Nevermind the access-list, it shouldn't make a difference.  I'm stumped :(

Seems like traffic is making it to your phone system...
0
 

Author Comment

by:tangofniro
Comment Utility
Certain traffic is but nobody can hear me,  some port has to be blocked ???
I'm stumped too
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Oh by the way, I just noticed that you added the new access-list statements to the existing statement used in your nonat route map (123).  This is why it broke your internet connection.  I wanted you to add a brand new access-list, access-list 130 and add that to your serial0 interface.
0
 

Author Comment

by:tangofniro
Comment Utility
sorry,  I will try the the 130.
0
 

Author Comment

by:tangofniro
Comment Utility
tried the 130 acls and added the access-group to s0 .

No audio can be heard from my phone?

I am confused as to what it could be.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Does the phone have a static IP address? If so, you may want to try adding the following to access-list 110:

access-list 110 permit ip host 192.168.0.30 host <address of phone>

It doesn't look like traffic destined to the phone is being NAT'ed and therefore not reaching the phone, hence the one way call.
0
 

Author Comment

by:tangofniro
Comment Utility
The phone has no static address.  These ip phone will be in homes and remote offices that have no static address.
The phone will place a call and can see the system, but the audio is just not there for people to hear me.

thanks for your continuing help JFrederick



will
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Have you tried a working phone in place of the one that has problems?  Are the other homes up and running?
0
 

Author Comment

by:tangofniro
Comment Utility
This phone was pulled from the main office where it was working great on the local LAn no problem.  I pulled it from here and sent it home and now I have the audio problems.
This is the first of many that I want to deploy.
0
 

Author Comment

by:tangofniro
Comment Utility
I am posting basically my entire config to see if I have anything wrong.
I want every port going to 192.168.0.130 to be open.  Have I done anything wrong?
I have multiple ip addresses so every address tied to an internal address is different.
Do I need to drop some of my acls?
Help! Becoming very frustrated at my own ineptitude at this problem


no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool MainScope
   network 192.168.0.0 255.255.255.0
   domain-name rpprop
   dns-server 4.2.2.1
   default-router 192.168.0.1
!
!
ip domain name x.com
ip name-server 4.2.2.1
ip name-server 4.2.2.2
no ip bootp server
no ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key 1234 address 199.x.x.x
crypto isakmp keepalive 20 10
!
!
crypto ipsec transform-set rpvpn esp-des esp-md5-hmac
!
crypto map rpvpn 10 ipsec-isakmp
 set peer 199.x.x.x
 set transform-set rpvpn
 match address 101
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0
 description $FW_INSIDE$$ETH-LAN$
 
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 no ip route-cache
 ip tcp adjust-mss 1380
 ip policy route-map nonat1
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet1
 switchport mode trunk
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet3
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet4
 no ip address
 shutdown
 no cdp enable
!
interface Serial0
 description USLEC T1
 ip address 199.x.x.x 255.255.255.252
 ip access-group 130 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map rpvpn
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source static 192.168.0.30 216.x.x.x extendable
ip nat inside source static 192.168.0.31 216.x.x.x extendable
ip nat inside source static 192.168.0.205 216.x.x.x extendable
ip nat inside source static 192.168.0.2 216.x.x.x extendable
ip classless
ip route 0.0.0.0 0.0.0.0 199.x.x.x
no ip http server
ip http authentication local
ip http secure-server
!
!
!
logging trap debugging
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 110 deny   ip 192.168.0.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 110 deny   ip host 192.168.0.205 any
access-list 110 deny   ip host 192.168.0.30 any
access-list 110 deny   ip host 192.168.0.31 any
access-list 110 deny   ip host 192.168.0.2 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 permit ip host 192.168.0.2 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.205 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.30 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.31 172.168.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.2 172.168.1.0 0.0.0.255
access-list 130 permit ip any host 216.x.x.x
access-list 130 permit ip any any
no cdp run
!
route-map nonat1 permit 10
 match ip address 123
 set ip next-hop 1.1.1.2
!
route-map nonat permit 10
 match ip address 110
!
!
control-plane
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
>I want every port going to 192.168.0.130 to be open.

Did you mean 192.168.0.30? I'm assuming you did but just checking.

Your configuration looks correct.  Your ACL's are fine.  Your static NAT is fine assuming the phone system really is 192.168.0.30.  Your routing is correct.  I don't know what else to try, everything looks correct!!! (frustrated).

You may want to open a ticket with Cisco TAC if possible as all my knowledge has been exhausted.
0
 

Author Comment

by:tangofniro
Comment Utility
Well it was the phone guys fault.  They have a setting in the system to set whether the phone id is private or public.  It is now set to public and is working great.
Thank you for all of your help.
BTW  the access-group on the serial int shuts down internal Lan access to internet, so I did not put that in.

-will
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now