Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Outside to inside NAT Rule in Cisco 1812 With IOS 12.4(2)XA

Posted on 2006-04-14
5
Medium Priority
?
1,059 Views
Last Modified: 2012-08-13
Hello,

I have 2 Virtual Lans and 1 WAN interface active on my cisco 1812 router/firewall.
Vlan 1 (eth2) = 192.168.100.*
Vlan 2 (eth3) = 192.168.200.*
Wan (eth0) = IP Adresses available from my ISP 212.265.208.48 - 212.265.208.62

My Router has the following IP addresses assigned:
Wan: 212.265.208.50
Vlan 1: 192.168.100.1
Vlan 2: 192.168.200.1

Vlan 2 is configured as a DMZ on the IOS firewall.

Now what I can't seem te get working is to get Outside to Inside NAT.
I have a webserver IP 192.168.200.3 on my vlan 2 (DMZ) wich I want to be accessable from the internet on public IP 212.265.208.51.

So I set the following command (I usually do it with the Cisco SDM GUI but this maybe more clear to you):

ip nat outside source static network 212.265.208.51 192.168.200.3 255.255.255.255

But this results in:
A. Nothing
B. Windows 2003 tells me there is a IP address conflict.
C. My webserver is still not accessable from the internet.

Does anybody know how to fix this??



0
Comment
Question by:GaweinHeymans
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 16453619
WAN addresses 212.265.208.48 - 212.265.208.62?
265 is an invalid octet - typo or pretend addresses?

Anyway, it's done as a static mapping for an inside address to the global:

ip  nat  inside  source  static  192.168.200.3  212.265.208.51

If you have any incoming access list on the WAN interface, you will need to allow the web services to the WAN address.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16461781
Mind posting the config here? Would give us a better look.

Cheers,
Rajesh
0
 

Author Comment

by:GaweinHeymans
ID: 16476518
Hi Frabble, Rajesh,

De IP addresses are pretend.

But anyway I set the static mapping like you said Frabble:

ip  nat  inside  source  static  192.168.200.3  212.265.208.51

That didn't really make any difference at first, then I edited the incoming ACL on the wan interface to also accept tcp 80 212.265.208.50 and tcp 80 on 212.265.208.51.

Now here is the strange thing, it did work for 99% when I reloaded the page I am trying to acces from the outside. But then it wouldn't finish loading the page. It got stuck on 99% loaded. When I tried to reload the page a second time it loaded nothing.

Then I tried it with a clean config. Now still nothing is loaded from the outside but when I look at the logs it does show the following entries:

017330 %SEC-6-IPACCESSLOGP: list 106 permitted tcp 85.145.195.187(2963) -> 212.265.208.51(80),  1 packet
017331 %FW-6-DROP_PKT: Dropping tcp pkt  192.168.200.3:80 => 85.145.195.187:2963

For a more detailed view here is the config:


Building configuration...

Current configuration : 12144 bytes
!
! Last configuration change at 10:36:49 PCTime Tue Apr 18 2006 by gawein
! NVRAM config last updated at 13:47:14 PCTime Tue Apr 11 2006 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1812
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
enable secret 5 $1$dTJU$JbmNYFTib4P23EvTxrHqs1
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.199
!
ip dhcp pool Roaming_Clients
   import all
   network 192.168.100.0 255.255.255.0
   dns-server 192.168.100.4
   default-router 192.168.100.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name masterworks.local
ip name-server 194.159.73.135
ip name-server 194.159.73.136
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH im-aol audit-trail on
ip inspect name SDM_HIGH im-msn audit-trail on
ip inspect name SDM_HIGH im-yahoo audit-trail on
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip ips notify SDEE
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
    audit-trail off
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-3875015843
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3875015843
 revocation-check none
 rsakeypair TP-self-signed-3875015843
!
!
crypto pki certificate chain TP-self-signed-3875015843
 certificate self-signed 01
  98D87DF3 522F727D F3647D78 8B5396FD 8EBA0679 B1D0B2A3 B67B121D 1976D70A
  3F0968BD 47BE9006 28765421 E58E61AE 76064501 AA8BB769 E2A03C6E F3A71CAA
  D0D31DD8 86CE4CBC 37E4D41D FB97B4A3 51DFFF67 BD53EC27 67626485 A801C143
  FF370203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373530
  31353834 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C664 28AA8868 404683BE 5B40FD7E C878FD04 B05CE108 B00F8B6C 09E03D0E
  98D87DF3 522F727D F3647D78 8B5396FD 8EBA0679 B1D0B2A3 B67B121D 1976D70A
  3F0968BD 47BE9006 28765421 E58E61AE 76064501 AA8BB769 E2A03C6E F3A71CAA
  D0D31DD8 86CE4CBC 37E4D41D FB97B4A3 51DFFF67 BD53EC27 67626485 A801C143
  FF370203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14F213C0 CBBDF42B 7D32B76B 40EA6EF1 A21E0C9B
  D7301D06 03551D0E 04160414 F213C0CB BDF42B7D 32B76B40 EA6EF1A2 1E0C9BD7
  300D0609 2A864886 F70D0101 04050003 81810037 D949E965 752B082E A8D02395
  0B2A57EC EC313FBF C95A3DF4 7B2C7A50 5C840EAB 7F844EF4 68B2917F 4D3AE28C
  9E736BB7 D24EC973 AEA1A8AB 23874893 AA8E13E6 29AB51EB 8D75EF5F C64A05EC
  AE4A5591 B7F6BE87 2BC79DFC EAE95424 417AA7CE 13991388 BA80DD40 75261EFC
  C1517502 0A6C0501 2873D561 ACC4F421 0C6348
  quit
username gawein privilege 15 secret 5 $1$2rMG$8RIra8C1yf/.JLDkzI93Q0
username chrisvanbeem secret 5 $1$mi.i$Iyc/UAgRs7mou5tUOMBMM1
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_HIGH
  class sdm_p2p_gnutella
   drop
  class sdm_p2p_bittorrent
   drop
  class sdm_p2p_edonkey
   drop
  class sdm_p2p_kazaa
   drop
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 group 2
!
crypto isakmp client configuration group Masterworks_Management
 key Nums6738H8djs0u0
 dns 192.168.100.4
 wins 192.168.100.4
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 212.265.208.50 255.255.255.240
 ip access-group 106 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description $FW_OUTSIDE$
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet2
 description Local Network
!
interface FastEthernet3
 description DMZ
 switchport access vlan 2
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.100.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect SDM_HIGH in
 ip virtual-reassembly
 ip route-cache flow
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output sdmappfwp2p_SDM_HIGH
!
interface Vlan2
 description $FW_DMZ$
 ip address 192.168.200.1 255.255.255.0
 ip access-group 102 in
 ip inspect dmzinspect out
!
ip local pool SDM_POOL_1 192.168.102.1 192.168.102.254
ip classless
ip route 0.0.0.0 0.0.0.0 212.265.208.49
ip route 192.168.136.0 255.255.255.0 192.168.100.6
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.200.3 80 212.265.208.51 80 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 212.265.208.48 0.0.0.15 any
access-list 101 deny   ip 192.168.200.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 192.87.110.2
access-list 102 permit udp host 192.87.110.2 eq ntp host 192.168.200.1 eq ntp
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 192.168.200.3 any
access-list 103 deny   ip any 192.168.102.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny   ip host 192.168.200.3 192.168.102.0 0.0.0.255
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip host 192.168.200.3 192.168.102.0 0.0.0.255
access-list 105 permit ip host 192.168.200.3 any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit udp host 194.159.73.136 eq domain host 212.265.208.50
access-list 106 permit udp host 194.159.73.135 eq domain host 212.265.208.50
access-list 106 remark Auto generated by SDM for NTP (123) 192.87.110.2
access-list 106 permit udp host 192.87.110.2 eq ntp host 212.265.208.50 eq ntp
access-list 106 deny   ip 192.168.200.0 0.0.0.255 any
access-list 106 deny   ip 192.168.100.0 0.0.0.255 any
access-list 106 permit icmp any host 212.265.208.50 echo-reply
access-list 106 permit icmp any host 212.265.208.50 time-exceeded
access-list 106 permit icmp any host 212.265.208.50 unreachable
access-list 106 remark PPTP
access-list 106 permit tcp host 212.123.1.33 eq 1723 any log
access-list 106 remark PPTP
access-list 106 permit gre host 212.123.1.33 any log
access-list 106 permit tcp any host 212.265.208.51 eq www log
access-list 106 permit tcp any eq www host 212.265.208.50 log
access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip host 0.0.0.0 any
access-list 106 deny   ip any any log
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
route-map SDM_RMAP_3 permit 1
 match ip address 105
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180444
ntp update-calendar
ntp server 192.87.110.2 source FastEthernet0
end
0
 
LVL 15

Accepted Solution

by:
Frabble earned 2000 total points
ID: 16480735
These are good:
> ip nat inside source static tcp 192.168.200.3 80 212.265.208.51 80 extendable
> access-list 106 permit tcp any host 212.265.208.51 eq www log

Following is not required:
>access-list 106 permit tcp any eq www host 212.265.208.50 log

Only thing wrong I can see is that you've not configured the DMZ Vlan2 as a NAT inside interface:
interface Vlan2
  ip nat inside
0
 

Author Comment

by:GaweinHeymans
ID: 16497112
Thanks Frabble, It works now,

I altered the DMZ Vlan2 as NAT inside but that didn't work so I cleared all ACL's to be sure there were no settings that could block and made clean ones with your comments about static mapping and NAT inside it worked immediatly!

Thanks again.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question