Outside NAT

I'm having a difficult time allowing traffic from outside out network to access two specific devices inside out network via NAT.

This works on a PIX, however I'm unable to get this configuration to work with a 1760, I'm almost positivie its something simple with an access-list that I'm missing.

Here is the setup.

I have two wireless devices that broadcast data to an internet service they nat out to the site and register their address and port.

This works, we see the traffic move in this direction, in turn, the internet service sends data back to the nat'ed address. It may be inresponse, or it may be initiated by the internet service.

Any thoughts?

---_ Configuration ------

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xx
!
enable secret   x
enable password xxx
!
ip subnet-zero
!
!

ip dhcp excluded-address 172.16.104.1 172.16.104.99
ip dhcp excluded-address 172.16.104.151 172.16.104.255
!
ip dhcp pool xx
   network 172.16.104.0 255.255.255.0
   default-router 172.16.104.254
   dns-server 172.16.100.5
   domain-name xx
   lease 10
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key asimplekey address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map MyMap 11 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set transform-set myset
 match address 120
!
!
!
!
!
interface Ethernet0/0
 no ip address
 no ip mroute-cache
 half-duplex
 ip nat outside
 pppoe enable
 pppoe-client dial-pool-number 1
 crypto map MyMap
!
interface FastEthernet0/0
 ip address 172.16.104.254 255.255.255.0
 ip helper-address 172.16.100.8
 ip nat inside
 no ip mroute-cache
 speed auto
 half-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxx
 ppp chap password 0 xxx
 ppp pap sent-username xxx password 0 xxx
 crypto map MyMap
!
ip local pool MyPool 172.16.104.100 172.16.104.150
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit 172.16.104.0 0.0.0.255
access-list 1 deny   0.0.0.0 255.255.255.0
access-list 101 permit ip any any
access-list 102 deny   ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 102 permit ip 172.16.104.0 0.0.0.255 any
access-list 102 permit ip host 216.245.180.88 any <== This is the IP address that the internet service sends it's data on
access-list 120 permit ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
 password terminal
line aux 0
line vty 0 4
 session-timeout 60
 password butter
 login
!
end
LVL 1
jlazanowskiAsked:
Who is Participating?
 
rowansmithConnect With a Mentor Commented:
Now on to your NAT problem....

You can not allow 216.245.180.88 access to every port on every device on your internal network... you have to choose what you want.

You have the following.  1 external IP address (applied to dailer0) and 65535 external ports.  so each of these is a unique combination.  Lets say your dialer0 IP addredss is 1.1.1.1.  Then you could have (for example)

1.1.1.1:25 -> 172.16.104.22:25
1.1.1.1:80 -> 172.16.104.22.80
1.1.1.1:81 -> 172.16.104.33:80
1.1.1.1:10000 -> 172.16.104.88:3389

For example for the last requirement above you do this with:

ip nat inside source static tcp 172.16.104.88 3389 interface dialer0 10000

Which translates any inbound connections on port 10000 to interface dialer0 to IP 172.16.104.88 port 3389

However be aware that your access lists are not doing anything to prevent access!  So enabling the above rule would allow anything to communicate with you on that port.

Are you running a FW IOS image?  type show ip inspect and see what output you get...

0
 
rowansmithCommented:
Your access lists do nothing (they are not applied to any interfaces) and you have no NAT rules defined.
0
 
rowansmithCommented:
You need to tell us, what addresses you want to NAT to on your internal network.

We will then write the NAT inbound translation rules that you require.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jlazanowskiAuthor Commented:
I should've removed some of the old access-list entries, they're not valid anymore. You can ignore access-list 1 and access-list 101


Access-List 102 is assigned to the Dialer 1 interface to handle the NO-NAT of the VPN tunnel traffice
Access-List 120 is assigned to the tunnel.

The line "access-list 102 permit ip host 216.245.180.88 any "
216.245.180.88 is the IP address that I wish to allow access to the internal devices.

0
 
rowansmithCommented:
Is you intention to use the access lists to permit or deny IP communications?  If so that is not what you are doing at the moment.

To permit or deny IP communications you have to apply the access-list to the interface.  As in:

interface dialer 0
ip access-group 102 in

This will only allow packets inbound that match that list, you can assign a corresponding list for "out"

Now, what is it that you want to do, what IP address to you want to make connections to what IP address?
0
 
jlazanowskiAuthor Commented:
I need to allow 216.245.180.88 to access devices connected to 172.16.104.x

I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.

ip nat inside source list 102 interface Dialer1 overload

applies it to the NAT pool on Dialer1 right?

0
 
jlazanowskiAuthor Commented:
I need to allow 216.245.180.88 to access devices connected to 172.16.104.x

I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.

ip nat inside source list 102 interface Dialer1 overload

applies it to the NAT pool on Dialer1 right?

0
 
rowansmithCommented:
That says anypackets that match list 102 will b NAT'd outbound  that is not being used to prevent access to the internet.

e.g., if a packet arrives from 1.1.1.1 destined for 200.4.5.66 it will just be passed straight through by your router.

if a packet arrives from 172.16.104.x destined to 172.16.100.x it will just be passed straight through by your router.

if a packet arrives from 172.16.104.x destined to anywhere it will be NAT'd using PAT to change the source address to that of your dialer 1 interface.

So access list 102 is being used to determine which packets should be address translated.  Everything else not being permitted to be NAT'd is just being let straight through.

Note that this only applies to networks that originate inside your Router.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.