Solved

Strange behavior allowing routing only 1 direction across NAT.

Posted on 2008-10-07
14
179 Views
Last Modified: 2012-05-05
Okay, so the idea is pretty simple.  There are two subnets, let's say 192.168.0.0/24 and 10.0.0.0/24.  They are connected via a Cisco 3600.  There are two physical interfaces used and a NAT running.  The 192 NIC is inside and the 10 NIC is outside.

ip nat inside source list 1 interface FastEthernet0/1 overload

access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255

That really is it.  The permit for 10.0.0.0 actually doesn't do anything either, that I can tell.  

Now, let's say I have a computer and I set the IP to 192.168.0.100.  It can ping 192, 10, or anything else without problems.  If I change the computer's IP to 10.0.0.100, various things happen.  I have tried on 3 computers.

 #1 was a vista box and it couldn't ping the 192 network at all, but it could ping everything else.  

#2 was an XP box and it can ping the 192 network, but, for example, cannot connect on port 25 or 443 to the Exchange server on the 192 network.

#3 was a virtual server running 2k3 and it cannot ping anything on the 192 at all.

Does anyone have any idea why this is happening?  I can't figure out why it is allowing traffic one direction and I am getting problems (and different ones) trying to go the other way.

Oh, if anyone cares, IOS is c3640-js-m version 12.4(7g).
0
Comment
Question by:Telstar-Networks
  • 8
  • 6
14 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22662351
It would help to see the config.

Which interface is inside and which is outside?

The NAT that you have configured is one-way  (inside-to-outside). If you want to be able to initiate traffic from the outside, you'll need to use port forwarding.
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22662461
I think this is all that is relevant.

interface FastEthernet0/0
 ip address 192.168.0.254 255.255.255.0 secondary
 ip address 172.16.1.254 255.255.255.0
 ip broadcast-address 172.16.1.255
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled

interface FastEthernet0/1
 ip address 10.0.0.253 255.255.255.0
 ip broadcast-address 10.0.0.255
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip http server
ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 10.1.1.0 255.255.255.0 10.0.0.254
ip route 10.1.2.0 255.255.255.0 10.0.0.254
ip route 10.1.3.0 255.255.255.0 10.0.0.254
ip route 10.1.4.0 255.255.255.0 10.0.0.254
ip route 10.1.5.0 255.255.255.0 10.0.0.254
ip route 10.1.6.0 255.255.255.0 10.0.0.254
ip route 10.1.7.0 255.255.255.0 10.0.0.254
ip route 10.1.8.0 255.255.255.0 10.0.0.254
ip route 10.1.9.0 255.255.255.0 10.0.0.254
ip route 10.1.10.0 255.255.255.0 10.0.0.254
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
ip route 172.16.1.0 255.255.255.0 FastEthernet0/0
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22662496
So you should be able to access anything on the 10.0.0.0 network FROM a device on the 192.168.0.0 network.

Does this work?
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22662512
Yep, that works fine.  It is just going back from the 10.0 network to the 192.168 that fails.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663007
Yeah. That's not going to work with your configuration.

You'll need to forward incoming traffic.

For example, the following line will forward incoming web traffic to 192.168.0.4

ip nat inside source static tcp 192.168.0.4 80 10.0.0.253 80 extendable

0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663042
So... I need to include a line for every transfer to each host on each separate port?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663075
>So... I need to include a line for every transfer to each host on each separate port?

No. But if you don't then all incoming traffic will be directed to a single host.

ip nat inside source static ip 192.168.0.4 10.0.0.253 extendable

will forward ALL inbound traffic to 192.168.0.4
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663111
Okay.  I get you.  Let me test it out a bit, it seems to be having... unexpected consequences.
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663211
Okay, so here is what happened.  10.0.0.100 is a VoIP server.  192.168.0.3 is an Exchange 07 box.  The VoIP server is supposed to email voice messages to people's inbox.  Hence, the whole problem, the voice server can't contact the Exchange box.  

Using this

ip nat inside source static tcp 192.168.0.3 25 10.0.0.100 25 extendable

stopped all the phones (which are assigned 192.168.0.0 addresses) from being able to contact their VoIP server in what seems like every way.  Am I missing something?  Shouldn't that statement only be routing PAT between the two hosts on 25?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663277
First things first... Does it work without NAT configured?

0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663308
Yes, it works fine without NAT configured.   However, NAT must be configured simply because the various subnets running through the network aren't all 1 company.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22680138
Something is fishy. Can you post the config (with the static NAT statement) and the output of a "show ip nat trans"?
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22680155
Well, I could, but it will have to wait for a while.  When that static NAT statement got put in last, it tripped out the VoIP controller so badly the thing took a 12 minute reboot, downing all the phones for that period of time.
0
 
LVL 1

Accepted Solution

by:
Telstar-Networks earned 0 total points
ID: 23215308
No time to keep working on this.  Just moved equip around temporarily to alleviate symptoms.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Traffic monitoring on Tunnel 7 72
VPN protocal 18 66
PORT NUMBER FOR FIOS ROUTER 5 39
Enterasys QoS setup 2 34
In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now