Solved

Strange behavior allowing routing only 1 direction across NAT.

Posted on 2008-10-07
14
188 Views
Last Modified: 2012-05-05
Okay, so the idea is pretty simple.  There are two subnets, let's say 192.168.0.0/24 and 10.0.0.0/24.  They are connected via a Cisco 3600.  There are two physical interfaces used and a NAT running.  The 192 NIC is inside and the 10 NIC is outside.

ip nat inside source list 1 interface FastEthernet0/1 overload

access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255

That really is it.  The permit for 10.0.0.0 actually doesn't do anything either, that I can tell.  

Now, let's say I have a computer and I set the IP to 192.168.0.100.  It can ping 192, 10, or anything else without problems.  If I change the computer's IP to 10.0.0.100, various things happen.  I have tried on 3 computers.

 #1 was a vista box and it couldn't ping the 192 network at all, but it could ping everything else.  

#2 was an XP box and it can ping the 192 network, but, for example, cannot connect on port 25 or 443 to the Exchange server on the 192 network.

#3 was a virtual server running 2k3 and it cannot ping anything on the 192 at all.

Does anyone have any idea why this is happening?  I can't figure out why it is allowing traffic one direction and I am getting problems (and different ones) trying to go the other way.

Oh, if anyone cares, IOS is c3640-js-m version 12.4(7g).
0
Comment
Question by:Telstar-Networks
  • 8
  • 6
14 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22662351
It would help to see the config.

Which interface is inside and which is outside?

The NAT that you have configured is one-way  (inside-to-outside). If you want to be able to initiate traffic from the outside, you'll need to use port forwarding.
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22662461
I think this is all that is relevant.

interface FastEthernet0/0
 ip address 192.168.0.254 255.255.255.0 secondary
 ip address 172.16.1.254 255.255.255.0
 ip broadcast-address 172.16.1.255
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled

interface FastEthernet0/1
 ip address 10.0.0.253 255.255.255.0
 ip broadcast-address 10.0.0.255
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip http server
ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 10.1.1.0 255.255.255.0 10.0.0.254
ip route 10.1.2.0 255.255.255.0 10.0.0.254
ip route 10.1.3.0 255.255.255.0 10.0.0.254
ip route 10.1.4.0 255.255.255.0 10.0.0.254
ip route 10.1.5.0 255.255.255.0 10.0.0.254
ip route 10.1.6.0 255.255.255.0 10.0.0.254
ip route 10.1.7.0 255.255.255.0 10.0.0.254
ip route 10.1.8.0 255.255.255.0 10.0.0.254
ip route 10.1.9.0 255.255.255.0 10.0.0.254
ip route 10.1.10.0 255.255.255.0 10.0.0.254
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
ip route 172.16.1.0 255.255.255.0 FastEthernet0/0
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22662496
So you should be able to access anything on the 10.0.0.0 network FROM a device on the 192.168.0.0 network.

Does this work?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22662512
Yep, that works fine.  It is just going back from the 10.0 network to the 192.168 that fails.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663007
Yeah. That's not going to work with your configuration.

You'll need to forward incoming traffic.

For example, the following line will forward incoming web traffic to 192.168.0.4

ip nat inside source static tcp 192.168.0.4 80 10.0.0.253 80 extendable

0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663042
So... I need to include a line for every transfer to each host on each separate port?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663075
>So... I need to include a line for every transfer to each host on each separate port?

No. But if you don't then all incoming traffic will be directed to a single host.

ip nat inside source static ip 192.168.0.4 10.0.0.253 extendable

will forward ALL inbound traffic to 192.168.0.4
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663111
Okay.  I get you.  Let me test it out a bit, it seems to be having... unexpected consequences.
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663211
Okay, so here is what happened.  10.0.0.100 is a VoIP server.  192.168.0.3 is an Exchange 07 box.  The VoIP server is supposed to email voice messages to people's inbox.  Hence, the whole problem, the voice server can't contact the Exchange box.  

Using this

ip nat inside source static tcp 192.168.0.3 25 10.0.0.100 25 extendable

stopped all the phones (which are assigned 192.168.0.0 addresses) from being able to contact their VoIP server in what seems like every way.  Am I missing something?  Shouldn't that statement only be routing PAT between the two hosts on 25?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22663277
First things first... Does it work without NAT configured?

0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22663308
Yes, it works fine without NAT configured.   However, NAT must be configured simply because the various subnets running through the network aren't all 1 company.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 22680138
Something is fishy. Can you post the config (with the static NAT statement) and the output of a "show ip nat trans"?
0
 
LVL 1

Author Comment

by:Telstar-Networks
ID: 22680155
Well, I could, but it will have to wait for a while.  When that static NAT statement got put in last, it tripped out the VoIP controller so badly the thing took a 12 minute reboot, downing all the phones for that period of time.
0
 
LVL 1

Accepted Solution

by:
Telstar-Networks earned 0 total points
ID: 23215308
No time to keep working on this.  Just moved equip around temporarily to alleviate symptoms.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question