Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 730
  • Last Modified:

Problems getting NAT translation to work on Cisco 871W Router

I am having issues trying to do a simple NAT translation on our Cisco 871W router.

First of all our router was initially setup with a single static public IP address.  We recently added a second Public IP address that we want to NAT to an internal FTP server.  I tried to add the following config:

ip nat inside source static tcp 192.168.1.30 21 67.76.XXX.XXX 21 extendable
access-list 111 permit tcp any host 67.76.XXX.XXX eq ftp

However after adding the above lines to the router config the internal FTP server is no longer reachable internally or externally.  I was able to ping ther ftp server fine internally at 192.168.1.30 but as soon as I added the above config lines I was not able to ping the server and if I accessed the server directly it no longer had an internet connection???  Very strange.  Can someone help?  do I need to change the WAn interface config to include the additional IP addresses we purchased?  Currently it shows:

interface FastEthernet4
 description WAN link, FW outside
 ip address 67.76.XXX.XXX 255.255.255.128
 ip access-group 111 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect FW100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map gpubs
 service-policy output policy1
!

Any Help I can get would be greatly appreciated.  Thanks in advance..
0
jtbe
Asked:
jtbe
  • 9
  • 7
  • 4
  • +2
1 Solution
 
giltjrCommented:
What type of access-lists do you have for your inside interface?
0
 
rsivanandanCommented:
Agree, post the full configuration (sanitized ofcourse).

Cheers,
Rajesh
0
 
jtbeAuthor Commented:
!This is the running config of the router: 192.168.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname 871
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDST recurring
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.40
ip dhcp excluded-address 192.168.1.200 192.168.1.255
!
ip dhcp pool MBG-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   domain-name test.com
   netbios-name-server 192.168.1.10
   dns-server 204.XXX.XXX.XXX
   lease 14
!
!
no ip bootp server
ip domain name XXX.com
ip host VPN1_831 192.168.1.1
ip host VPN2_831 192.168.2.1
ip host VPN3_831 192.168.3.1
ip host VPN4_831 192.168.4.1
ip name-server 204.XXX.XXX.XXX
ip name-server 199.2.252.10
ip inspect name FW100 cuseeme
ip inspect name FW100 ftp
ip inspect name FW100 h323
ip inspect name FW100 icmp
ip inspect name FW100 netshow
ip inspect name FW100 rcmd
ip inspect name FW100 realaudio
ip inspect name FW100 rtsp
ip inspect name FW100 esmtp
ip inspect name FW100 sqlnet
ip inspect name FW100 streamworks
ip inspect name FW100 tftp
ip inspect name FW100 tcp
ip inspect name FW100 udp
ip inspect name FW100 vdolive
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-346165903
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-346165903
 revocation-check none
 rsakeypair TP-self-signed-346165903
!
!
crypto pki certificate chain TP-self-signed-346165903
 certificate self-signed 01
  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  quit
!
!
username telnet password 7 XXXXXXXXX
archive
 log config
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-all voice
 match access-group 160
!
!
policy-map policy1
 description LLQ policy for IP voice traffic
 class voice
  priority 400
 class class-default
  fair-queue
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key XXXX address XX.XX.XX.XX no-xauth
crypto isakmp key XXXX address XX.XX.XX.XX no-xauth
crypto isakmp key XXXX address XX.XX.XX.XX no-xauth
crypto isakmp key XXXX address XX.XX.XX.XX no-xauth
crypto isakmp identity hostname
!
crypto isakmp client configuration group vpnclient
 key 6 XXX
 dns XX.XX.XX.XX
 wins 192.168.1.10
 domain vpnclient.XX.com
 pool VPNclPool
 acl 130
!
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set strong
!
!
crypto map test client authentication list userauthen
crypto map test isakmp authorization list groupauthor
crypto map test client configuration address respond
crypto map test 1 ipsec-isakmp
 set peer XX.XX.XX.XX
 set transform-set strong
 match address 102
crypto map test 2 ipsec-isakmp
 set peer XX.XX.XX.XX
 set transform-set strong
 match address 103
crypto map test 3 ipsec-isakmp
 description Crypto map for Dover connection
 set peer XX.XX.XX.XX
 set transform-set strong
 match address 104
crypto map test 4 ipsec-isakmp
 description Crypto map for Fairlawn connection
 set peer XX.XX.XX.XX
 set transform-set strong
 match address 105
crypto map test 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description WAN link, FW outside
 ip address XX.XX.XX.XX 255.255.255.128
 ip access-group 111 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect GPI-FW100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map test
 service-policy output policy1
!
interface Dot11Radio0
 ip address 192.168.15.1 255.255.255.0
 countermeasure tkip hold-time 300
 !
 encryption key 1 size 40bit 0 XXXXXXXX transmit-key
 encryption mode wep mandatory
 !
 ssid WIFI
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description LAN segment, FW inside
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool VPNclPool 192.168.10.1 192.168.10.9
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.30 21 67.76.XXX.XXX 21 extendable
!
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit any
access-list 100 remark Outbound control firewall configuration
access-list 100 deny   ip 216.XX.XX.XX 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark 102-105 for Site to Site VPN access control
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 permit tcp any host 67.76.XXX.XXX eq ftp
access-list 111 remark Inbound access firewall
access-list 111 permit udp host 209.XX.XX.XX eq domain host 67.XX.XX.XX
access-list 111 permit udp host 216.XX.XX.XX eq domain host 67.XX.XX.XX
access-list 111 permit tcp any host 67.XX.XX.XX eq 22
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit esp any any
access-list 111 permit tcp host 192.43.244.18 host 67.XX.XX.XX eq 123
access-list 111 deny   ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp any host 67.XX.XX.XX echo-reply
access-list 111 permit icmp any host 67.XX.XX.XX time-exceeded
access-list 111 permit icmp any host 67.XX.XX.XX unreachable
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any
access-list 111 deny   ip 192.168.0.0 0.0.255.255 any
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any
access-list 111 deny   ip host 255.255.255.255 any
access-list 111 deny   ip host 0.0.0.0 any
access-list 111 deny   ip any any
access-list 120 remark Control for NAT processing
access-list 120 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 130 remark ACL Control for VPN Client on group 3000client
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.6.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 remark ACL for LLQ udp ports
access-list 160 permit udp any any range 6000 6100
access-list 160 deny   ip any any
no cdp run
!
!
!
route-map nonat permit 1
 match ip address 120
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CC
Logon with permission only.
Unauthorised access will be prosecuted!!
 
 
^C
banner motd ^CC
Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
 
 
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 192.43.244.18
end
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
lrmooreCommented:
enable proxy arp on the WAN interface
0
 
mikecrCommented:
Umm, if you're not using a passive FTP server you also need to nat 20.

ip nat inside source static tcp 192.168.1.30 20 67.76.XXX.XXX 20 extendable

ADD
access-list 111 permit tcp any host 67.76.XXX.XXX eq ftp-data

0
 
jtbeAuthor Commented:
After I enabled the proxy arp on the WAN interface I am now able to successfully ftp the server internally at it's internal IP address of 192.168.1.25 however I still cannot connect to the server via ftp from the public IP address on a computer outside our office.  It is almost as if the router is not pulling the additional IP address from the DSL modem.

Some more information on our configuration. We curently have a Business DSL connection with 3 static public IP addresses.  one of them is assigned to the router to handle all outgoing traffic etc as you can see in the config.  the other two IP addresses are for other uses like our FTP server.  Currently we have the FTP server outside out network, but I need to bring it in on our internal network.  

The physical connection is:

DSL Modem -> connected to a switch
Our Cisco Router is connected to the above switch on one port and our current FTP server is connected to the same switch on another port.  I am wanting to remove the switch from the equation and run all traffic through our 871W router.  Obviously needing this NAT translation to work..

To answer the obvious question I am not trying to assign the same public IP address to the new internal FTP server.  We have 3 IP's.  one is assigned to the existing FTP server, one to the router and I am using the third as a test for the new internal FTP server.
0
 
mikecrCommented:
A little troubleshooting insight.

Here is what I would do. I would do a one to one nat to the 192.168 address without port translation.

ip nat inside source static 192.168.1.30 67.76.XXX.XXX

Add a line to access-list 111 to allow icmp to the 67.76.XXX.XXX address.

Try to ping the servers natted ip from the outside world and see if you get a reply.
Do a "show ip nat translations icmp verbose" on the router if you don't get a reply.

If you get a reply, then you're probably having a port problem access the new FTP test server not running passive FTP and need to add 20. If you don't get a reply, then your NAT is not working, which would lead me to guess that the ISP doesn't have that particular IP address routed for some reason. Test this by doing a traceroute to that network IP address from the internet and see if your DSL modem/gateway is the last hop. You can't really do a routable CIDR block on 3 addresses which makes me suspicious. You would need to add them each statically.


0
 
jtbeAuthor Commented:
Here is what I have tested.

Added the following to the running config:
ip nat inside source static 192.168.1.25 67.76.XX.XX
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable

!.) I am now able to ping the new FTP server internally using the internal 192.168.1.25 IP and also the external IP of 67.76.XXX.XXX (This is from a computer in the network so the NAt seems to work fine internally)

2.) Tried to do the show ip nat translations icmp verbose command and did not get anything listed just:
Pro Inside global      Inside local       Outside local      Outside global

3.) I tried to connect the new FTP server to the same switch and give it the public IP address I am trying to do the NAt translation on and it works fine.  Tested the IP address using whatismyip.org and it displayed the correct IP address, so I know this is not an issue with the DSL modem not directing traffic on that IP address to here.

Any other suggestions?
0
 
mikecrCommented:
If you can ping it but you can't get into it via FTP now, then you need to add port 20 in your nat and access list like I have above and try it again.  It will probably work.
0
 
jtbeAuthor Commented:
I am unable to ping or ftp the server from the outside.  neither one works.. I did a trace route and it stopped at the dsl modem, which is the same thing that happened when I did a traceroute / ping attempt to the main IP of the router itself.  Any other suggestions?
0
 
jtbeAuthor Commented:
Here is an updated config of the router.  Please help,,,

!This is the running config of the router: 192.168.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname MBG_871
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDST recurring
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.40
ip dhcp excluded-address 192.168.1.200 192.168.1.255
!
ip dhcp pool MBG-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   domain-name domain.com
   netbios-name-server 192.168.1.10
   dns-server (IP of DNS Server1) (IP of DNS Server2)
   lease 14
!
!
no ip bootp server
ip domain name domain.com
ip host MBG_831 192.168.1.1
ip host WOS_831 192.168.2.1
ip host BRU_831 192.168.3.1
ip host DOV_831 192.168.4.1
ip name-server (IP of DNS Server1)
ip name-server (IP of DNS Server2)
ip inspect name GPI-FW100 cuseeme
ip inspect name GPI-FW100 ftp
ip inspect name GPI-FW100 h323
ip inspect name GPI-FW100 icmp
ip inspect name GPI-FW100 netshow
ip inspect name GPI-FW100 rcmd
ip inspect name GPI-FW100 realaudio
ip inspect name GPI-FW100 rtsp
ip inspect name GPI-FW100 esmtp
ip inspect name GPI-FW100 sqlnet
ip inspect name GPI-FW100 streamworks
ip inspect name GPI-FW100 tftp
ip inspect name GPI-FW100 tcp
ip inspect name GPI-FW100 udp
ip inspect name GPI-FW100 vdolive
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-346165903
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-346165903
 revocation-check none
 rsakeypair TP-self-signed-346165903
!
!
crypto pki certificate chain TP-self-signed-346165903
 certificate self-signed 01
  27A3ED51 96C48952 26F0C6C4 5AE56C5B B88D0B16 C69F0B5D 27EACE49 E7CAB37F
  DB0F0643 AA220555 E78E979B 983FED3D F7FAC42A 1AA49FDB 4D385989 2F2497A6
  DB81CD15 16BFD565 7F7EA4
  quit
!
!
username telnet password 7 (Encrypted Password)
archive
 log config
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-all voice
 match access-group 160
!
!
policy-map policy1
 description LLQ policy for IP voice traffic
 class voice
  priority 400
 class class-default
  fair-queue
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key (VPN Key) address (Branch VPN IP Address1) no-xauth
crypto isakmp key (VPN Key) address (Branch VPN IP Address2) no-xauth
crypto isakmp key (VPN Key) address (Branch VPN IP Address3) no-xauth
crypto isakmp key (VPN Key) address (Branch VPN IP Address4) no-xauth
crypto isakmp identity hostname
!
crypto isakmp client configuration group 3000client
 key 6 (VPN Client Key)
 dns (IP of DNS Server1)
 wins 192.168.1.10
 domain vpnclient.domain.com
 pool VPNclPool
 acl 130
!
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set strong
!
!
crypto map (Crypto Name) client authentication list userauthen
crypto map (Crypto Name) isakmp authorization list groupauthor
crypto map (Crypto Name) client configuration address respond
crypto map (Crypto Name) 1 ipsec-isakmp
 set peer (Branch VPN IP Address1)
 set transform-set strong
 match address 102
crypto map (Crypto Name) 2 ipsec-isakmp
 set peer (Branch VPN IP Address2)
 set transform-set strong
 match address 103
crypto map (Crypto Name) 3 ipsec-isakmp
 set peer (Branch VPN IP Address3)
 set transform-set strong
 match address 104
crypto map (Crypto Name) 4 ipsec-isakmp
 set peer (Branch VPN IP Address4)
 set transform-set strong
 match address 105
crypto map (Crypto Name) 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description WAN link, FW outside
 ip address (Main Public IP) 255.255.255.128
 ip access-group 111 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect GPI-FW100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map (Crypto Name)
 service-policy output policy1
!
interface Dot11Radio0
 ip address 192.168.15.1 255.255.255.0
 countermeasure tkip hold-time 300
 !
 encryption key 1 size 40bit 0 (WEP Key) transmit-key
 encryption mode wep mandatory
 !
 ssid WIFI
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description LAN segment, FW inside
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool VPNclPool 192.168.10.1 192.168.10.9
ip route 0.0.0.0 0.0.0.0 (Default Public Router Gateway)
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static 192.168.1.25 (FTP Server Public IP)
!
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit any
access-list 100 remark Outbound control firewall configuration
access-list 100 deny   ip (Ip range 51.0) 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark 102-105 for Site to Site VPN access control
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 remark Inbound access firewall
access-list 111 permit udp host (IP Ending in 182) eq domain host (Main Public IP)
access-list 111 permit udp host (IP ending in 118) eq domain host (Main Public IP)
access-list 111 permit tcp any host (Main Public IP) eq 22
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit esp any any
access-list 111 permit tcp host 192.43.244.18 host (Main Public IP) eq 123
access-list 111 deny   ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp any host (Main Public IP) echo-reply
access-list 111 permit icmp any host (Main Public IP) time-exceeded
access-list 111 permit icmp any host (Main Public IP) unreachable
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any
access-list 111 deny   ip 192.168.0.0 0.0.255.255 any
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any
access-list 111 deny   ip host 255.255.255.255 any
access-list 111 deny   ip host 0.0.0.0 any
access-list 111 deny   ip any any
access-list 111 permit tcp any host (FTP Server Public IP) eq ftp-data
access-list 120 remark Control for NAT processing
access-list 120 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 130 remark ACL Control for VPN Client on group 3000client
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 permit ip 192.168.6.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 remark ACL for LLQ udp ports
access-list 160 permit udp any any range 6000 6100
access-list 160 deny   ip any any
no cdp run
!
!
!
route-map nonat permit 1
 match ip address 120
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCC
Logon with permission only.
Unauthorised access will be prosecuted!!
 
 
^C
banner motd ^CCC
Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
 
 
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 192.43.244.18
end
0
 
mikecrCommented:
Were your access-list commands at the top of the list in your Access-list 111 when you tested?
0
 
jtbeAuthor Commented:
the above config is the current config that does not work.  I can't ping the server internally using the 192.168.1.25 internal IP address. Can't access the server externally either.  During the course of testing, there was one time I was able to ping the server internally after adding the NAT translation but I'm puzzled as to why it is that as soon as I add the static 1to1 NAT translation line to the config the server looses it's connection and can't be accessed even internally..
0
 
lrmooreCommented:
Your first deny any any is higher than the permit tcp. This is why the inbound to that IP is not working

access-list 111 deny   ip any any      <== this must be the very last line
access-list 111 permit tcp any host (FTP Server Public IP) eq ftp-data

From inside host, are you trying to ping 192.168.1.25, or are you trying to ping ServerPublic IP?
You will never be able to ping PublicIP from an inside host
If you cannot even ping 192.168.1.25 from 192.168.1.x host, then I would concentrate the remainder of my effort on the server. Does it have the proper subnet mask, default gateway and NIC settings?
How about the switch that the server is connected to? Is the switchport showing any errors that might indicate a duplex mismatch? Is it a L2 only or L2/3 switch?
0
 
jtbeAuthor Commented:
I have tried to ping both the internal 192.168.1.25 ip and the (FTP Server Public IP) from an internal host and that does not work.  As soon as I reload the saved config that does not have the config line:
ip nat inside source static 192.168.1.25 (FTP Server Public IP)

I am able to ping the FTP Server 192.168.1.25
However as soon as I add the above NAT config line I can no longer ping the FTP Server.  So I know it is not a physical network connection issue or a setting on the actual server itself.  It almost seems as soon as I add the NAT translation that it causes an IP addresses conflict that causes the FTP server to be unreachable..  I have never seen anything like this..
0
 
giltjrCommented:
What IP subnet are you on when you try to ping?  You say you are on a internal host, but to me that means you are on the same IP sbunet.  If you're on the same IP subnet, you should never even be touching the router.
0
 
mikecrCommented:
Create a loopback on the router with that public address and see if you can ping it then from the outside world. If you can't, your DSL modem doesn't have a route back to your router for that IP address. That DSL modem is probably a multifunction device.

Example
config t
interface loopback1
ip address 67.77.87.97
end
0
 
jtbeAuthor Commented:
Does anyone know what  this config line does exactly could it be the problem?

ip nat inside source route-map nonat interface FastEthernet4 overload
0
 
mikecrCommented:
That is your global nat for your outbound network to get to the internet. The route map specifies what is to be natted outbound. Currently it is denying access to it's own network talking  through the router and allowing all other traffic. Static NAT normally takes precedence over dynamic NAT so I don't believe this is the problem.

If you take and create that loopback like I suggested and put the IP address on it, you should be able to ping that address then from the outside world. If you can't, then your DSL modem must have routing set up on it that you need to edit. Make sure you edit your access lists for your firewall config to allow ICMP.
0
 
giltjrCommented:
I would still like to know when you can ping 192.168.1.25 what the IP address of the source machine?
0
 
jtbeAuthor Commented:
I was able to ping the server from a computer with an IP of 192.168.1.66

As for the Loopback setup.  I removed the existing NAT translation form the config and added the loopback interface below.  As soon as I did that our Internet connectivity went down and I had to immediatly restore the config on the router.  With this being a production router it makes it challenging to test and make changes.

Here is where I added the loopback interface:

!
bridge irb
!
!
interface loopback0
 ip address (FTP Server Public IP) 255.255.255.128
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description WAN link, FW outside
 ip address (Main Public IP) 255.255.255.128
 ip access-group 111 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect GPI-FW100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map gpubs
 service-policy output policy1
!
0
 
giltjrCommented:
If you can ping 192.168.1.25 from 192.168.1.66 without the NAT and with the NAT you can't, then something else is wrong, or I am missing something.  

From what I can tell the subnet mask is 255.255.255.0 for 192.168.1.0.  Which means both hosts are on the same IP subnet.  

Which means when you are ping'ing from 192.168.1.66 you should not even be going through the 871W router.  So the NAT should not have any effect on traffic between these two hosts.

Is there something I am missing?  I have been known to be blind to the obvious sometimes :)
0
 
mikecrCommented:
You don't need to remove the NAT except for the one to one that you have configured for the test FTP server. You just add a loopback adapter and put the live IP address on it. Should NOT affect connectivity on your network.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 9
  • 7
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now