?
Solved

Trouble with static NAT

Posted on 2004-11-30
7
Medium Priority
?
461 Views
Last Modified: 2006-11-17
I have a block of 12 public IPs (*.*.*.130 through *.*.*.142) and I am trying to do the following:

1)  Configure dynamic NAT to overload public IP *.*.*.130 for all outbound initiated traffic (DONE)
2)  Permit only smtp, www, ftp, and icmp outbound traffic (DONE - I think)
3)  Configure static NAT to move inbound port 80 traffic on *.*.*.131 to my internal web server 10.0.0.7  (HELP!)

Problem 1:  Can only ping *.*.*.130 from internal private computer.  When I try to ping the rest of my block of addresses I get "TTL expired in transit".  But I can ping all 12 addresses from the internet.

Problem 2:  No web services available when I try to visit http://*.*.*.131, I get standard "page cannot display" error

Here is my config:
 
  Current configuration : 1286 bytes
  !
  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  !
  hostname MPOE1
  !
  boot-start-marker
  boot-end-marker
  !
  enable secret 5 ************
  !
  mmi polling-interval 60
  no mmi auto-configure
  no mmi pvc
  mmi snmp-timeout 180
  no aaa new-model
  ip subnet-zero
  ip cef
  !
  !
  !
  ip name-server *.*.*.*
  ip name-server *.*.*.*
  no ftp-server write-enable
  !
  !
  !
  !
  interface FastEthernet0/0
   ip address 10.0.0.2 255.255.255.0
   ip nat inside
   speed auto
  !
  interface Serial0/0
   ip address *.*.*.130 255.255.255.240
   ip nat outside
   encapsulation ppp
   fair-queue
   service-module t1 timeslots 1-24
  !
  ip nat pool pool1 *.*.*.130 *.*.*.130 prefix-length 24
  ip nat inside source list 1 pool pool1 overload
  ip nat inside source static tcp 10.0.0.7 80 *.*.*.131 80 extendable
  ip classless
  ip route 0.0.0.0 0.0.0.0 Serial0/0
  ip route 10.0.0.0 255.255.255.0 FastEthernet0/0
  no ip http server
  !
  access-list 1 deny   10.0.0.7
  access-list 1 permit 10.0.0.0 0.0.0.255
  access-list 101 permit tcp any any eq smtp
  access-list 101 permit tcp any any eq www
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit icmp any any
  access-list 101 deny   ip any any
  !
  line con 0
  line aux 0
  line vty 0 4
  !
  !
  end
0
Comment
Question by:clayperez
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12711784
You still need to use dynamic nat for your web server or it won't be able to do anything other than NAT on the internet. Try this. This will mean that web is always on x.x.x.131 but anything else will use 130. And you still have a bunch of addresses for other things you may need later. Unless you have ther T1 pegged, a single overload address should be more than enough UDP/TCP ports for your users.

ip nat inside source list 1 interface Serial0/0  overload
ip nat inside source static tcp 10.0.0.7 80 *.*.*.131 80 extendable
access-list 1 permit 10.0.0.0 0.0.0.255

You're not currently using access list 101... which is good right now because it would break your connectivity depending where you put it.
0
 

Author Comment

by:clayperez
ID: 12711874
I made the modifications you recommended and now my config looks like the following.  But I still cannot access my webserver by pointing an external client to http://*.*.*.131

I don't get the "page not displayed" message immediately - it takes a full 15+ seconds before it displays.
Any other tips?

.....new config changes read:  

ip nat pool pool1 216.31.251.130 216.31.251.130 prefix-length 24
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static tcp 10.0.0.7 80 216.31.251.131 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 10.0.0.0 255.255.255.0 FastEthernet0/0
no ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
!
!
end
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12719568
You don't need this line because the line after NATs everything to the serial interface address anyway. Try removing it and then test again, just for fun.
ip nat pool pool1 216.31.251.130 216.31.251.130 prefix-length 24

Incidentally, you don't need this either
ip route 10.0.0.0 255.255.255.0 FastEthernet0/0

The router already knows about this subnet, it's directly connected. If you do a "show ip route" you'll see that the subnet is "C" for connected, not "S" for static, because it prefers a connected route over a static one anyway.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:clayperez
ID: 12721005
Still nothing.  I feel like I'm doing everything right.  Let me disclose this:  Port FastEthernet0/0 is plugged directly into a 16 port linksys HUB which is in turn connected to a 3300XM switch where the rest of the devices on the network are connected.  All of the devices on the network currently get their 10.0.0.x address from DHCP on the domain controller.  The gateway is 10.0.0.1 and NOT the cisco router which is 10.0.0.2 (while configuring).  I can get out to the internet through the router from the single device that I have statically configured to use 10.0.0.2 as the gateway, but I still cannot get to the webserver through the *.*.*.131.

Is it possible that I need to somehow specifically assign each address in the pool of 12 to the serial0/0 interface?  Or is this done automatically by the line "IP ADDRESS *.*.*.130 255.255.255.240"?

Here is my current config as of this conversation per your recommendations, however the bahavior has not changed.




Current configuration : 955 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MPOE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip name-server *.*.*.17
ip name-server *.*.*.18
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 ip nat inside
 speed auto
!
interface Serial0/0
 ip address *.*.*.130 255.255.255.240
 ip nat outside
 encapsulation ppp
 fair-queue
 service-module t1 timeslots 1-24
!
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static tcp 10.0.0.7 80 *.*.*.131 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
!
!
end

0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12730674
It certainly looks like it should work. Let's use some debug info to help us. In config mode, add this access list for now:

access-list 99 permit host *.*.*.131
access-list 99 permit host 10.0.0.7
access-list 99 permit [the address you're testing from]
end

terminal monitor (if you're telnetting, not needed on the console)
debug ip nat 99 detailed

Now do your http test and capture the debug output. Post some of it here and we'll see what's going on.  When you've got some data, type "undebug all" to end it.
0
 

Author Comment

by:clayperez
ID: 12731101
I figured out what the problem was.

Currently because I am in transition mode, the network is set up to still use the primary gateway of 10.0.0.1.  But I have configured this new router on the network as 10.0.0.2.  Because I did not change the default gateway on the web server, it was not responding to incoming requests that came through 10.0.0.2 - it was still trying to respond to 10.0.0.1.  I created a static route from an assistant's computer on the web server and it worked.   This means all I need to do is change the default gateway on the web server (and all other public service hosts) when I make the transition.

Thanks for working on troubleshooting this for me.  Unfortunately it was something that was unrelated to the router config.

Regards,
Carlos

0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 750 total points
ID: 12731281
That makes sense.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question