Solved

Outside NAT

Posted on 2008-06-19
8
432 Views
Last Modified: 2010-05-18
I'm having a difficult time allowing traffic from outside out network to access two specific devices inside out network via NAT.

This works on a PIX, however I'm unable to get this configuration to work with a 1760, I'm almost positivie its something simple with an access-list that I'm missing.

Here is the setup.

I have two wireless devices that broadcast data to an internet service they nat out to the site and register their address and port.

This works, we see the traffic move in this direction, in turn, the internet service sends data back to the nat'ed address. It may be inresponse, or it may be initiated by the internet service.

Any thoughts?

---_ Configuration ------

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xx
!
enable secret   x
enable password xxx
!
ip subnet-zero
!
!

ip dhcp excluded-address 172.16.104.1 172.16.104.99
ip dhcp excluded-address 172.16.104.151 172.16.104.255
!
ip dhcp pool xx
   network 172.16.104.0 255.255.255.0
   default-router 172.16.104.254
   dns-server 172.16.100.5
   domain-name xx
   lease 10
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key asimplekey address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map MyMap 11 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set transform-set myset
 match address 120
!
!
!
!
!
interface Ethernet0/0
 no ip address
 no ip mroute-cache
 half-duplex
 ip nat outside
 pppoe enable
 pppoe-client dial-pool-number 1
 crypto map MyMap
!
interface FastEthernet0/0
 ip address 172.16.104.254 255.255.255.0
 ip helper-address 172.16.100.8
 ip nat inside
 no ip mroute-cache
 speed auto
 half-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxx
 ppp chap password 0 xxx
 ppp pap sent-username xxx password 0 xxx
 crypto map MyMap
!
ip local pool MyPool 172.16.104.100 172.16.104.150
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit 172.16.104.0 0.0.0.255
access-list 1 deny   0.0.0.0 255.255.255.0
access-list 101 permit ip any any
access-list 102 deny   ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 102 permit ip 172.16.104.0 0.0.0.255 any
access-list 102 permit ip host 216.245.180.88 any <== This is the IP address that the internet service sends it's data on
access-list 120 permit ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password terminal
line aux 0
line vty 0 4
 session-timeout 60
 password butter
 login
!
end
0
Comment
Question by:jlazanowski
  • 5
  • 3
8 Comments
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
Your access lists do nothing (they are not applied to any interfaces) and you have no NAT rules defined.
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
You need to tell us, what addresses you want to NAT to on your internal network.

We will then write the NAT inbound translation rules that you require.
0
 
LVL 1

Author Comment

by:jlazanowski
Comment Utility
I should've removed some of the old access-list entries, they're not valid anymore. You can ignore access-list 1 and access-list 101


Access-List 102 is assigned to the Dialer 1 interface to handle the NO-NAT of the VPN tunnel traffice
Access-List 120 is assigned to the tunnel.

The line "access-list 102 permit ip host 216.245.180.88 any "
216.245.180.88 is the IP address that I wish to allow access to the internal devices.

0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
Is you intention to use the access lists to permit or deny IP communications?  If so that is not what you are doing at the moment.

To permit or deny IP communications you have to apply the access-list to the interface.  As in:

interface dialer 0
ip access-group 102 in

This will only allow packets inbound that match that list, you can assign a corresponding list for "out"

Now, what is it that you want to do, what IP address to you want to make connections to what IP address?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:jlazanowski
Comment Utility
I need to allow 216.245.180.88 to access devices connected to 172.16.104.x

I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.

ip nat inside source list 102 interface Dialer1 overload

applies it to the NAT pool on Dialer1 right?

0
 
LVL 1

Author Comment

by:jlazanowski
Comment Utility
I need to allow 216.245.180.88 to access devices connected to 172.16.104.x

I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.

ip nat inside source list 102 interface Dialer1 overload

applies it to the NAT pool on Dialer1 right?

0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
That says anypackets that match list 102 will b NAT'd outbound  that is not being used to prevent access to the internet.

e.g., if a packet arrives from 1.1.1.1 destined for 200.4.5.66 it will just be passed straight through by your router.

if a packet arrives from 172.16.104.x destined to 172.16.100.x it will just be passed straight through by your router.

if a packet arrives from 172.16.104.x destined to anywhere it will be NAT'd using PAT to change the source address to that of your dialer 1 interface.

So access list 102 is being used to determine which packets should be address translated.  Everything else not being permitted to be NAT'd is just being let straight through.

Note that this only applies to networks that originate inside your Router.
0
 
LVL 11

Accepted Solution

by:
rowansmith earned 500 total points
Comment Utility
Now on to your NAT problem....

You can not allow 216.245.180.88 access to every port on every device on your internal network... you have to choose what you want.

You have the following.  1 external IP address (applied to dailer0) and 65535 external ports.  so each of these is a unique combination.  Lets say your dialer0 IP addredss is 1.1.1.1.  Then you could have (for example)

1.1.1.1:25 -> 172.16.104.22:25
1.1.1.1:80 -> 172.16.104.22.80
1.1.1.1:81 -> 172.16.104.33:80
1.1.1.1:10000 -> 172.16.104.88:3389

For example for the last requirement above you do this with:

ip nat inside source static tcp 172.16.104.88 3389 interface dialer0 10000

Which translates any inbound connections on port 10000 to interface dialer0 to IP 172.16.104.88 port 3389

However be aware that your access lists are not doing anything to prevent access!  So enabling the above rule would allow anything to communicate with you on that port.

Are you running a FW IOS image?  type show ip inspect and see what output you get...

0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now