Solved

Cisco NAT/PAT translating but static nats cannot reach the internet

Posted on 2008-10-10
8
619 Views
Last Modified: 2008-10-18
I have the following router configuration. It isn't really that fancy. My internal network is on a 10.20.20.0 subnet and this includes the four servers: 10.20.20.50, 49, 48, and 52. They have static outside IPs we'll call XXX.XX.XX.81, 82, 83 and 84. I have a default outside IP of XX.XX.XX.78 to use for ALL traffic that isn't for these four machines.

I can access the machines from outside just fine... but these machines cannot get any access AT ALL to the outside. They can reply to incoming requests just fine, but I can't even do a ping to an outside IP address. I disabled my firewall access-lists altogether to prove to myself that it wasn't a firewall issue... and it isn't.

What's wrong with my nat config? I've tracked down that it may be due to overloading an interface... but I'm not sure!
(Also, note the 192.168.3.0... this is my vpn pool that works perfectly)

interface FastEthernet0/1

 description $ES_LAN$$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.8 255.255.255.0 secondary

 ip address 192.168.2.8 255.255.255.0 secondary

 ip address 10.20.20.1 255.255.255.0

 ip access-group 100 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface Serial0/0/0

 description External - T1$FW_OUTSIDE$$ES_WAN$

 ip address XXX.XX.XX.81 255.255.255.248 secondary

 ip address XXX.XX.XX.82 255.255.255.248 secondary

 ip address XXX.XX.XX.83 255.255.255.248 secondary

 ip address XXX.XX.XX.84 255.255.255.248 secondary

 ip address XXX.XX.XX.85 255.255.255.248 secondary

 ip address XXX.XX.XX.78 255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 crypto map CMAP

!

ip local pool vpn1 192.168.3.1 192.168.3.254

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 106 interface Serial0/0/0 overload

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

ip nat inside source static 10.20.20.49 XXX.XX.XX.82

ip nat inside source static 10.20.20.52 XXX.XX.XX.83

ip nat inside source static 10.20.20.50 XXX.XX.XX.84

!

(access-lists not shown except the nat acl)

access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----

access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 106 permit ip 10.20.20.0 0.0.0.255 any

Open in new window

0
Comment
Question by:JAMason1182
8 Comments
 
LVL 2

Expert Comment

by:Matt1705
Comment Utility
You have left a bunch on your config file, but the problem is probably because messages from your servers to the outside are leaving labeled as coming from X.78.   When they return to the X.78 address they are being routed to your other subnet.
0
 

Author Comment

by:JAMason1182
Comment Utility
Well, here's a copy of the "sh ip nat translations" command. You'll see that the 81,82,83, and 84 are being translated correctly. Also, the 78 has about 100 entries, so I know that the desktops are all getting an outside address of xxx.xx.xx.78. Also, I have "debug ip packet" and "debug ip nat" enabled, and here's a snippet of the log (below the sh ip nat translations) pertaining to an attempt at connecting to google from my 83 server.


midnr001#sh ip nat translations
 

Pro Inside global         Inside local          Outside local         Outside global

--- XXX.XX.XX.81          10.20.20.48           ---                   ---

udp XXX.XX.XX.82:123      10.20.20.49:123       128.194.254.7:123     128.194.254.7:123

--- XXX.XX.XX.82          10.20.20.49           ---                   ---

udp XXX.XX.XX.84:123      10.20.20.50:123       128.194.254.8:123     128.194.254.8:123

tcp XXX.XX.XX.84:33400    10.20.20.50:33400     12.120.18.110:80      12.120.18.110:80

tcp XXX.XX.XX.84:33402    10.20.20.50:33402     12.120.18.110:80      12.120.18.110:80

tcp XXX.XX.XX.84:33403    10.20.20.50:33403     12.120.18.110:80      12.120.18.110:80

--- XXX.XX.XX.84          10.20.20.50           ---                   ---

--- XXX.XX.XX.83          10.20.20.52           ---                   ---

udp XXX.XX.XX.78:50074    10.20.20.54:50074     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:50310    10.20.20.54:50310     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:51089    10.20.20.54:51089     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:51438    10.20.20.54:51438     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:52292    10.20.20.54:52292     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:52449    10.20.20.54:52449     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:52552    10.20.20.54:52552     216.10.32.10:53       XXX.XX.32.10:53
 
 

midnr001#sh log | include 74.125.45.99

944746: .Oct 10 12:47:14.980 Chicago: NAT*: s=10.20.20.52->XXX.XX.XX.83, d=74.125.45.99 [40340]

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
What does access list 100 look like?  This is the one applied inbound to your inside router interface....
0
 

Author Comment

by:JAMason1182
Comment Utility
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny   tcp any host 10.20.20.1 eq telnet
access-list 100 deny   tcp any host 10.20.20.1 eq 22
access-list 100 deny   tcp any host 10.20.20.1 eq www
access-list 100 deny   tcp any host 10.20.20.1 eq 443
access-list 100 deny   tcp any host 10.20.20.1 eq cmd
access-list 100 deny   udp any host 10.20.20.1 eq snmp
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny   tcp any any eq smtp
access-list 100 permit ip any any
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 4

Expert Comment

by:ckozloski
Comment Utility
This may be trivial but have you tried pinging by IP or DNS Name? Can you ping something outside by IP address? What DNS servers are your public servers using to resolve to?
0
 

Author Comment

by:JAMason1182
Comment Utility
My public servers use our internal dns servers to resolve names. I  have tried pinging from the servers with both the IP and the DNS name.

When I ping from the server I can immediately go to the router and do a "sh ip nat translations" and see the successful nat translation. BUT, I never get a connection on the server. It is like it doesn't get anything back!

I guess my big question concerns my access-list 101 (incoming from my Serial port (internet)) and why the NATted address isn't coming BACK in for the servers. (Again, it works GREAT for the desktops!)

You'll notice the first thing I have listed is "permit tcp any any established".....




access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----

access-list 101 permit tcp any any established

access-list 101 remark ---- BLACKLIST ----

access-list 101 deny   ip host 66.199.187.181 any

access-list 101 deny   udp any any range 1025 1028

access-list 101 remark ---- Allow NTP ----

access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp

access-list 101 remark ---- Allow PING ----

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any

access-list 101 remark ---- Allow VPN connection Access ----

access-list 101 permit esp any host XXX.XX.XX.78

access-list 101 permit ahp any host XXX.XX.XX.78

access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp

access-list 101 remark ---- Block local on external and broadcasts ----

access-list 101 deny   ip any 0.0.0.255 255.255.255.0

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 remark ---- Block Erroneous Service Ports ----

access-list 101 deny   tcp any any range 6000 6003

access-list 101 deny   tcp any any range 2000 2003

access-list 101 remark ---- Block NFS Service ----

access-list 101 deny   tcp any any eq 2049

access-list 101 deny   udp any any eq 2049

access-list 101 remark ---- Block NETBIOS/SMB Service ----

access-list 101 deny   tcp any any eq 138

access-list 101 deny   tcp any any eq 445

access-list 101 deny   udp any any eq netbios-ns

access-list 101 deny   udp any any eq netbios-dgm

access-list 101 permit tcp any host XXX.XX.XX.84 eq www

access-list 101 permit tcp any host XXX.XX.XX.84 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq www

access-list 101 permit tcp any host XXX.XX.XX.83 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3

access-list 101 permit tcp any host XXX.XX.XX.83 eq 143

access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp

access-list 101 permit tcp any host XXX.XX.XX.81 eq domain

access-list 101 permit udp any host XXX.XX.XX.81 eq domain

access-list 101 permit tcp any host XXX.XX.XX.82 eq domain

access-list 101 permit udp any host XXX.XX.XX.82 eq domain

access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----

access-list 101 permit udp any host XXX.XX.XX.78

access-list 101 deny   udp any any log

Open in new window

0
 

Author Comment

by:JAMason1182
Comment Utility
OK, here's something new... somehow I have lost the ability to communicate with xxx.xx.xx.83 with anyone outside the LAN at all.... not even that which is opened up explicitly with the ACL.

I did do a check however to see if my router could hit the same server my 83 server was trying to hit... viola, no problem.

So, I'll repost my entire config (not VPN stuff obviously, but ACLs and port info). Something is seriously wrong here!
(oh, and I added logs to EVERY ACL deny statement.... I'm not getting any logs when my 83 server doesn't get out.)

WAIT! Don't ask. I can easily get from the 83 server to every other comp in the LAN, including the router (the 83 server is the machine I am going through to configure the router)

Please help!



interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description Secondary interface - External

 ip address 10.20.21.2 255.255.255.0 secondary

 ip address 10.20.21.3 255.255.255.0 secondary

 ip address 10.20.21.1 255.255.255.0

 ip access-group 102 in

 ip nat outside

 ip virtual-reassembly

 shutdown

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 description $ES_LAN$$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.8 255.255.255.0 secondary

 ip address 192.168.2.8 255.255.255.0 secondary

 ip address 10.20.20.1 255.255.255.0

 ip access-group 100 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface Serial0/0/0

 description External - T1$FW_OUTSIDE$$ES_WAN$

 ip address XXX.XX.XX.81 255.255.255.248 secondary

 ip address XXX.XX.XX.82 255.255.255.248 secondary

 ip address XXX.XX.XX.83 255.255.255.248 secondary

 ip address XXX.XX.XX.84 255.255.255.248 secondary

 ip address XXX.XX.XX.85 255.255.255.248 secondary

 ip address XXX.XX.XX.78 255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 crypto map CMAP

!

ip local pool vpn1 192.168.3.1 192.168.3.254

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 106 interface Serial0/0/0 overload

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

ip nat inside source static 10.20.20.49 XXX.XX.XX.82

ip nat inside source static 10.20.20.52 XXX.XX.XX.83

ip nat inside source static 10.20.20.50 XXX.XX.XX.84

!

logging trap warnings

access-list 2 remark ########### Router Configuration Access (local only)##########

access-list 2 permit 10.20.20.0 0.0.0.255

access-list 2 deny   any
 

access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd

access-list 100 deny   tcp any host 10.20.20.1 eq telnet log

access-list 100 deny   tcp any host 10.20.20.1 eq 22 log

access-list 100 deny   tcp any host 10.20.20.1 eq www log

access-list 100 deny   tcp any host 10.20.20.1 eq 443 log

access-list 100 deny   tcp any host 10.20.20.1 eq cmd log

access-list 100 deny   udp any host 10.20.20.1 eq snmp log
 

access-list 100 remark --Don't want to be email blocked! so only our server can send...

access-list 100 permit tcp host 10.20.20.52 any eq smtp

access-list 100 remark --I trust myself, so I can send...

access-list 100 permit tcp host 10.20.20.114 any eq smtp

access-list 100 deny   tcp any any eq smtp log

access-list 100 permit ip any any
 

access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----

access-list 101 remark ---- BLACKLIST ----

access-list 101 deny   ip host 66.199.187.181 any log

access-list 101 deny   udp any any range 1025 1028 log

access-list 101 remark ---- Allow Established ----

access-list 101 permit tcp any any established

access-list 101 remark ---- Allow NTP ----

access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp

access-list 101 remark ---- Allow PING ----

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any log

access-list 101 remark ---- Allow VPN connection Access ----

access-list 101 permit esp any host XXX.XX.XX.78

access-list 101 permit ahp any host XXX.XX.XX.78

access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp

access-list 101 remark ---- Block local on external and broadcasts ----

access-list 101 deny   ip any 0.0.0.255 255.255.255.0 log

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log

access-list 101 remark ---- Block Erroneous Service Ports ----

access-list 101 deny   tcp any any range 6000 6003 log

access-list 101 deny   tcp any any range 2000 2003 log

access-list 101 remark ---- Block NFS Service ----

access-list 101 deny   tcp any any eq 2049 log

access-list 101 deny   udp any any eq 2049 log

access-list 101 remark ---- Block NETBIOS/SMB Service ----

access-list 101 deny   tcp any any eq 138 log

access-list 101 deny   tcp any any eq 445 log

access-list 101 deny   udp any any eq netbios-ns log

access-list 101 deny   udp any any eq netbios-dgm log

access-list 101 permit tcp any host XXX.XX.XX.84 eq www

access-list 101 permit tcp any host XXX.XX.XX.84 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq www

access-list 101 permit tcp any host XXX.XX.XX.83 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3

access-list 101 permit tcp any host XXX.XX.XX.83 eq 143

access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp

access-list 101 permit tcp any host XXX.XX.XX.81 eq domain

access-list 101 permit udp any host XXX.XX.XX.81 eq domain

access-list 101 permit tcp any host XXX.XX.XX.82 eq domain

access-list 101 permit udp any host XXX.XX.XX.82 eq domain

access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----

access-list 101 permit udp any host XXX.XX.XX.78

access-list 101 deny   udp any any log

access-list 101 deny   ip any any log
 

access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----

access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255 log

access-list 106 permit ip 10.20.20.0 0.0.0.255 any

access-list 150 permit ip 10.20.20.0 0.0.0.255 any

no cdp run

!

Open in new window

0
 

Accepted Solution

by:
JAMason1182 earned 0 total points
Comment Utility
Wow. I figured it out. My ISP has obviously done something to the routes... pings going in and pings going out are dropped between my router and my gateway with my ISP. Traceroutes end with an infinite loop.

So I just called them and viola... they restored their good configuration of their router, thus I'm now in the clear. I told them to write the running-config to the startup-config.... like now.



0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
My smart TV isn't so smart 14 70
how to access my server 9 25
network timeout on mapped drive 3 25
Cisco VSS or VCP on GNS3 or IOU 3 25
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now