Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

Strange behavior allowing routing only 1 direction across NAT.

Okay, so the idea is pretty simple.  There are two subnets, let's say 192.168.0.0/24 and 10.0.0.0/24.  They are connected via a Cisco 3600.  There are two physical interfaces used and a NAT running.  The 192 NIC is inside and the 10 NIC is outside.

ip nat inside source list 1 interface FastEthernet0/1 overload

access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255

That really is it.  The permit for 10.0.0.0 actually doesn't do anything either, that I can tell.  

Now, let's say I have a computer and I set the IP to 192.168.0.100.  It can ping 192, 10, or anything else without problems.  If I change the computer's IP to 10.0.0.100, various things happen.  I have tried on 3 computers.

 #1 was a vista box and it couldn't ping the 192 network at all, but it could ping everything else.  

#2 was an XP box and it can ping the 192 network, but, for example, cannot connect on port 25 or 443 to the Exchange server on the 192 network.

#3 was a virtual server running 2k3 and it cannot ping anything on the 192 at all.

Does anyone have any idea why this is happening?  I can't figure out why it is allowing traffic one direction and I am getting problems (and different ones) trying to go the other way.

Oh, if anyone cares, IOS is c3640-js-m version 12.4(7g).
0
Telstar-Networks
Asked:
Telstar-Networks
  • 8
  • 6
1 Solution
 
Don JohnstonCommented:
It would help to see the config.

Which interface is inside and which is outside?

The NAT that you have configured is one-way  (inside-to-outside). If you want to be able to initiate traffic from the outside, you'll need to use port forwarding.
0
 
Telstar-NetworksAuthor Commented:
I think this is all that is relevant.

interface FastEthernet0/0
 ip address 192.168.0.254 255.255.255.0 secondary
 ip address 172.16.1.254 255.255.255.0
 ip broadcast-address 172.16.1.255
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled

interface FastEthernet0/1
 ip address 10.0.0.253 255.255.255.0
 ip broadcast-address 10.0.0.255
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip http server
ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 10.1.1.0 255.255.255.0 10.0.0.254
ip route 10.1.2.0 255.255.255.0 10.0.0.254
ip route 10.1.3.0 255.255.255.0 10.0.0.254
ip route 10.1.4.0 255.255.255.0 10.0.0.254
ip route 10.1.5.0 255.255.255.0 10.0.0.254
ip route 10.1.6.0 255.255.255.0 10.0.0.254
ip route 10.1.7.0 255.255.255.0 10.0.0.254
ip route 10.1.8.0 255.255.255.0 10.0.0.254
ip route 10.1.9.0 255.255.255.0 10.0.0.254
ip route 10.1.10.0 255.255.255.0 10.0.0.254
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
ip route 172.16.1.0 255.255.255.0 FastEthernet0/0
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
0
 
Don JohnstonCommented:
So you should be able to access anything on the 10.0.0.0 network FROM a device on the 192.168.0.0 network.

Does this work?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Telstar-NetworksAuthor Commented:
Yep, that works fine.  It is just going back from the 10.0 network to the 192.168 that fails.
0
 
Don JohnstonCommented:
Yeah. That's not going to work with your configuration.

You'll need to forward incoming traffic.

For example, the following line will forward incoming web traffic to 192.168.0.4

ip nat inside source static tcp 192.168.0.4 80 10.0.0.253 80 extendable

0
 
Telstar-NetworksAuthor Commented:
So... I need to include a line for every transfer to each host on each separate port?
0
 
Don JohnstonCommented:
>So... I need to include a line for every transfer to each host on each separate port?

No. But if you don't then all incoming traffic will be directed to a single host.

ip nat inside source static ip 192.168.0.4 10.0.0.253 extendable

will forward ALL inbound traffic to 192.168.0.4
0
 
Telstar-NetworksAuthor Commented:
Okay.  I get you.  Let me test it out a bit, it seems to be having... unexpected consequences.
0
 
Telstar-NetworksAuthor Commented:
Okay, so here is what happened.  10.0.0.100 is a VoIP server.  192.168.0.3 is an Exchange 07 box.  The VoIP server is supposed to email voice messages to people's inbox.  Hence, the whole problem, the voice server can't contact the Exchange box.  

Using this

ip nat inside source static tcp 192.168.0.3 25 10.0.0.100 25 extendable

stopped all the phones (which are assigned 192.168.0.0 addresses) from being able to contact their VoIP server in what seems like every way.  Am I missing something?  Shouldn't that statement only be routing PAT between the two hosts on 25?
0
 
Don JohnstonCommented:
First things first... Does it work without NAT configured?

0
 
Telstar-NetworksAuthor Commented:
Yes, it works fine without NAT configured.   However, NAT must be configured simply because the various subnets running through the network aren't all 1 company.
0
 
Don JohnstonCommented:
Something is fishy. Can you post the config (with the static NAT statement) and the output of a "show ip nat trans"?
0
 
Telstar-NetworksAuthor Commented:
Well, I could, but it will have to wait for a while.  When that static NAT statement got put in last, it tripped out the VoIP controller so badly the thing took a 12 minute reboot, downing all the phones for that period of time.
0
 
Telstar-NetworksAuthor Commented:
No time to keep working on this.  Just moved equip around temporarily to alleviate symptoms.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now