jlazanowski
asked on
Outside NAT
I'm having a difficult time allowing traffic from outside out network to access two specific devices inside out network via NAT.
This works on a PIX, however I'm unable to get this configuration to work with a 1760, I'm almost positivie its something simple with an access-list that I'm missing.
Here is the setup.
I have two wireless devices that broadcast data to an internet service they nat out to the site and register their address and port.
This works, we see the traffic move in this direction, in turn, the internet service sends data back to the nat'ed address. It may be inresponse, or it may be initiated by the internet service.
Any thoughts?
---_ Configuration ------
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xx
!
enable secret x
enable password xxx
!
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.104.1 172.16.104.99
ip dhcp excluded-address 172.16.104.151 172.16.104.255
!
ip dhcp pool xx
network 172.16.104.0 255.255.255.0
default-router 172.16.104.254
dns-server 172.16.100.5
domain-name xx
lease 10
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key asimplekey address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map MyMap 11 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set myset
match address 120
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip mroute-cache
half-duplex
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
crypto map MyMap
!
interface FastEthernet0/0
ip address 172.16.104.254 255.255.255.0
ip helper-address 172.16.100.8
ip nat inside
no ip mroute-cache
speed auto
half-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 0 xxx
ppp pap sent-username xxx password 0 xxx
crypto map MyMap
!
ip local pool MyPool 172.16.104.100 172.16.104.150
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit 172.16.104.0 0.0.0.255
access-list 1 deny 0.0.0.0 255.255.255.0
access-list 101 permit ip any any
access-list 102 deny ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 102 permit ip 172.16.104.0 0.0.0.255 any
access-list 102 permit ip host 216.245.180.88 any <== This is the IP address that the internet service sends it's data on
access-list 120 permit ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
password terminal
line aux 0
line vty 0 4
session-timeout 60
password butter
login
!
end
This works on a PIX, however I'm unable to get this configuration to work with a 1760, I'm almost positivie its something simple with an access-list that I'm missing.
Here is the setup.
I have two wireless devices that broadcast data to an internet service they nat out to the site and register their address and port.
This works, we see the traffic move in this direction, in turn, the internet service sends data back to the nat'ed address. It may be inresponse, or it may be initiated by the internet service.
Any thoughts?
---_ Configuration ------
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xx
!
enable secret x
enable password xxx
!
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.104.1 172.16.104.99
ip dhcp excluded-address 172.16.104.151 172.16.104.255
!
ip dhcp pool xx
network 172.16.104.0 255.255.255.0
default-router 172.16.104.254
dns-server 172.16.100.5
domain-name xx
lease 10
!
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key asimplekey address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map MyMap 11 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set myset
match address 120
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip mroute-cache
half-duplex
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
crypto map MyMap
!
interface FastEthernet0/0
ip address 172.16.104.254 255.255.255.0
ip helper-address 172.16.100.8
ip nat inside
no ip mroute-cache
speed auto
half-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 0 xxx
ppp pap sent-username xxx password 0 xxx
crypto map MyMap
!
ip local pool MyPool 172.16.104.100 172.16.104.150
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit 172.16.104.0 0.0.0.255
access-list 1 deny 0.0.0.0 255.255.255.0
access-list 101 permit ip any any
access-list 102 deny ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 102 permit ip 172.16.104.0 0.0.0.255 any
access-list 102 permit ip host 216.245.180.88 any <== This is the IP address that the internet service sends it's data on
access-list 120 permit ip 172.16.104.0 0.0.0.255 172.16.100.0 0.0.0.255
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
password terminal
line aux 0
line vty 0 4
session-timeout 60
password butter
login
!
end
Your access lists do nothing (they are not applied to any interfaces) and you have no NAT rules defined.
You need to tell us, what addresses you want to NAT to on your internal network.
We will then write the NAT inbound translation rules that you require.
We will then write the NAT inbound translation rules that you require.
ASKER
I should've removed some of the old access-list entries, they're not valid anymore. You can ignore access-list 1 and access-list 101
Access-List 102 is assigned to the Dialer 1 interface to handle the NO-NAT of the VPN tunnel traffice
Access-List 120 is assigned to the tunnel.
The line "access-list 102 permit ip host 216.245.180.88 any "
216.245.180.88 is the IP address that I wish to allow access to the internal devices.
Access-List 102 is assigned to the Dialer 1 interface to handle the NO-NAT of the VPN tunnel traffice
Access-List 120 is assigned to the tunnel.
The line "access-list 102 permit ip host 216.245.180.88 any "
216.245.180.88 is the IP address that I wish to allow access to the internal devices.
Is you intention to use the access lists to permit or deny IP communications? If so that is not what you are doing at the moment.
To permit or deny IP communications you have to apply the access-list to the interface. As in:
interface dialer 0
ip access-group 102 in
This will only allow packets inbound that match that list, you can assign a corresponding list for "out"
Now, what is it that you want to do, what IP address to you want to make connections to what IP address?
To permit or deny IP communications you have to apply the access-list to the interface. As in:
interface dialer 0
ip access-group 102 in
This will only allow packets inbound that match that list, you can assign a corresponding list for "out"
Now, what is it that you want to do, what IP address to you want to make connections to what IP address?
ASKER
I need to allow 216.245.180.88 to access devices connected to 172.16.104.x
I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.
ip nat inside source list 102 interface Dialer1 overload
applies it to the NAT pool on Dialer1 right?
I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.
ip nat inside source list 102 interface Dialer1 overload
applies it to the NAT pool on Dialer1 right?
ASKER
I need to allow 216.245.180.88 to access devices connected to 172.16.104.x
I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.
ip nat inside source list 102 interface Dialer1 overload
applies it to the NAT pool on Dialer1 right?
I'm sure 102 works otherwise traffic being sent accross the VPN tunnle would be natted, which of course dosen't work.
ip nat inside source list 102 interface Dialer1 overload
applies it to the NAT pool on Dialer1 right?
That says anypackets that match list 102 will b NAT'd outbound that is not being used to prevent access to the internet.
e.g., if a packet arrives from 1.1.1.1 destined for 200.4.5.66 it will just be passed straight through by your router.
if a packet arrives from 172.16.104.x destined to 172.16.100.x it will just be passed straight through by your router.
if a packet arrives from 172.16.104.x destined to anywhere it will be NAT'd using PAT to change the source address to that of your dialer 1 interface.
So access list 102 is being used to determine which packets should be address translated. Everything else not being permitted to be NAT'd is just being let straight through.
Note that this only applies to networks that originate inside your Router.
e.g., if a packet arrives from 1.1.1.1 destined for 200.4.5.66 it will just be passed straight through by your router.
if a packet arrives from 172.16.104.x destined to 172.16.100.x it will just be passed straight through by your router.
if a packet arrives from 172.16.104.x destined to anywhere it will be NAT'd using PAT to change the source address to that of your dialer 1 interface.
So access list 102 is being used to determine which packets should be address translated. Everything else not being permitted to be NAT'd is just being let straight through.
Note that this only applies to networks that originate inside your Router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.