Cisco 4000 NAT

I’ve looked through numerous NAT topics posted on EE.  According to the other articles, it appears I’ve got the configuration correct.  Still not working for me though.  Here’s the situation:

Cisco 4000
E0 is on Comcast
E2 is my internal network.
A FTP server resides at 192.168.3.18:21

Please refer to the pruned config below. I added a static NAT line for the server, but I can’t access the FTP from outside.  The translation also doesn’t appear when I do SH IP NET STAT.

FYI: S0 is a serial link to a 2500 and is for testing purposes only.  It shouldn’t be part of the problem, but I included it anyway.

Ideas?

-----------------------------------

Detroit#sh ru

ip subnet-zero
no ip domain-lookup
ip dhcp excluded-address 192.168.3.1 192.168.3.99
!
ip dhcp pool local
   network 192.168.3.0 255.255.255.0
   dns-server 68.87.64.196 68.42.244.5
   default-router 192.168.3.2
!
interface Ethernet0
 ip address dhcp
 ip nat outside
 media-type 10BaseT
!
interface Ethernet2
 ip address 192.168.3.2 255.255.255.0
 ip nat inside
 media-type 10BaseT
!
interface Serial0
 ip address 172.16.32.1 255.255.224.0
 ip nat inside
 clockrate 500000
!
router eigrp 1
 network 172.16.0.0
 network 192.168.3.0
 auto-summary
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.3.18 21 interface Ethernet0 21
ip classless
ip forward-protocol spanning-tree
no ip http server
!
access-list 1 permit 192.168.3.0 0.0.0.255
!
end

-----------------------------------

Detroit#sh ip nat stat
Total active translations: 21 (0 static, 21 dynamic; 21 extended)
Outside interfaces:
  Ethernet0
Inside interfaces:
  Ethernet2, Serial0
Hits: 6  Misses: 3
Expired translations: 3
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Ethernet0 refcount 20
Detroit#
LVL 1
David BlairAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
It looks like you have all the right pieces, at least for outbound nat. Any problems with surfing the net or anything?

For FTP you also need port 20 for ftp-data..

Try adding this:
ip nat inside source static tcp 192.168.3.18 20 interface Ethernet0 20

And, you must attempt the ftp access from outside the network. You can't access the ftp server from inside host using public IP address..
David BlairAuthor Commented:
Net, aim and all are working fine.  I added the line you suggested and I still can't get FTP to work.

The 4000 is a replacement for a tired old Linksys router.  I simply had the FTP set as the DMZ and everything worked great.  Not sure if that helps.

Also, my FTP spftware is generating "cannot send reply" errors.  (??)

Why can't I use the public IP internally?  Is this a split horizon thing or what?
lrmooreCommented:
>Why can't I use the public IP internally?  Is this a split horizon thing or what?
Because it's a router and you must have separate subnets on each interface of the router.
Your inside LAN is 192.168.3.x
Your FTP server must be 192.168.3.18
Your FTP server default gateway must point to the router 192.168.3.2
David BlairAuthor Commented:
Well I certainly understand that, but there's no reason I couldn't (for testing purposes only) connect to my FTP server using its public IP address.  If the port address translation is in place, I should be able to communicate with the serve.  All traffic would have to go through the ISP's default gateway, and the connection certainly wouldn't be LAN speed, the router shouldn't prevent this.

I still have this problem.  There must be something I'm missing, as the static NATs I've entered are not displayed when I issue a "show IP NAT trans"

Your thoughts?
lrmooreCommented:
>there's no reason I couldn't (for testing purposes only) connect to my FTP server using its public IP address.
Yes there is. Think about the packet travel.
Your test PC is 192.168.3.100
Your server is 192.168.3.18
You send a request to public ip x.x.x.x
Router sees it, but x.x.x.x is me. Let me see what I'm supposed to do with it
Oh, that port is forwarded to 192.168.3.18, both source and destination are same interface, I'm out of the picture now..
server 192.168.3.18 sees packet from 192.168.3.100 and answers
192.168.3.100 is waiting for reply from x.x.x.x and discards reply from 192.168.3.18

You just can't use the public IP from the inside LAN, even for testing purposes. You absolutely must test from outside the network.

Yes, a $50 soho router might let you do it, but a Cisco won't.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.