Solved

Cisco NAT/PAT translating but static nats cannot reach the internet

Posted on 2008-10-10
8
621 Views
Last Modified: 2008-10-18
I have the following router configuration. It isn't really that fancy. My internal network is on a 10.20.20.0 subnet and this includes the four servers: 10.20.20.50, 49, 48, and 52. They have static outside IPs we'll call XXX.XX.XX.81, 82, 83 and 84. I have a default outside IP of XX.XX.XX.78 to use for ALL traffic that isn't for these four machines.

I can access the machines from outside just fine... but these machines cannot get any access AT ALL to the outside. They can reply to incoming requests just fine, but I can't even do a ping to an outside IP address. I disabled my firewall access-lists altogether to prove to myself that it wasn't a firewall issue... and it isn't.

What's wrong with my nat config? I've tracked down that it may be due to overloading an interface... but I'm not sure!
(Also, note the 192.168.3.0... this is my vpn pool that works perfectly)

interface FastEthernet0/1

 description $ES_LAN$$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.8 255.255.255.0 secondary

 ip address 192.168.2.8 255.255.255.0 secondary

 ip address 10.20.20.1 255.255.255.0

 ip access-group 100 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface Serial0/0/0

 description External - T1$FW_OUTSIDE$$ES_WAN$

 ip address XXX.XX.XX.81 255.255.255.248 secondary

 ip address XXX.XX.XX.82 255.255.255.248 secondary

 ip address XXX.XX.XX.83 255.255.255.248 secondary

 ip address XXX.XX.XX.84 255.255.255.248 secondary

 ip address XXX.XX.XX.85 255.255.255.248 secondary

 ip address XXX.XX.XX.78 255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 crypto map CMAP

!

ip local pool vpn1 192.168.3.1 192.168.3.254

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 106 interface Serial0/0/0 overload

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

ip nat inside source static 10.20.20.49 XXX.XX.XX.82

ip nat inside source static 10.20.20.52 XXX.XX.XX.83

ip nat inside source static 10.20.20.50 XXX.XX.XX.84

!

(access-lists not shown except the nat acl)

access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----

access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 106 permit ip 10.20.20.0 0.0.0.255 any

Open in new window

0
Comment
Question by:JAMason1182
8 Comments
 
LVL 2

Expert Comment

by:Matt1705
ID: 22689463
You have left a bunch on your config file, but the problem is probably because messages from your servers to the outside are leaving labeled as coming from X.78.   When they return to the X.78 address they are being routed to your other subnet.
0
 

Author Comment

by:JAMason1182
ID: 22689527
Well, here's a copy of the "sh ip nat translations" command. You'll see that the 81,82,83, and 84 are being translated correctly. Also, the 78 has about 100 entries, so I know that the desktops are all getting an outside address of xxx.xx.xx.78. Also, I have "debug ip packet" and "debug ip nat" enabled, and here's a snippet of the log (below the sh ip nat translations) pertaining to an attempt at connecting to google from my 83 server.


midnr001#sh ip nat translations
 

Pro Inside global         Inside local          Outside local         Outside global

--- XXX.XX.XX.81          10.20.20.48           ---                   ---

udp XXX.XX.XX.82:123      10.20.20.49:123       128.194.254.7:123     128.194.254.7:123

--- XXX.XX.XX.82          10.20.20.49           ---                   ---

udp XXX.XX.XX.84:123      10.20.20.50:123       128.194.254.8:123     128.194.254.8:123

tcp XXX.XX.XX.84:33400    10.20.20.50:33400     12.120.18.110:80      12.120.18.110:80

tcp XXX.XX.XX.84:33402    10.20.20.50:33402     12.120.18.110:80      12.120.18.110:80

tcp XXX.XX.XX.84:33403    10.20.20.50:33403     12.120.18.110:80      12.120.18.110:80

--- XXX.XX.XX.84          10.20.20.50           ---                   ---

--- XXX.XX.XX.83          10.20.20.52           ---                   ---

udp XXX.XX.XX.78:50074    10.20.20.54:50074     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:50310    10.20.20.54:50310     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:51089    10.20.20.54:51089     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:51438    10.20.20.54:51438     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:52292    10.20.20.54:52292     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:52449    10.20.20.54:52449     216.10.32.10:53       XXX.XX.32.10:53

udp XXX.XX.XX.78:52552    10.20.20.54:52552     216.10.32.10:53       XXX.XX.32.10:53
 
 

midnr001#sh log | include 74.125.45.99

944746: .Oct 10 12:47:14.980 Chicago: NAT*: s=10.20.20.52->XXX.XX.XX.83, d=74.125.45.99 [40340]

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 22690152
What does access list 100 look like?  This is the one applied inbound to your inside router interface....
0
 

Author Comment

by:JAMason1182
ID: 22690313
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny   tcp any host 10.20.20.1 eq telnet
access-list 100 deny   tcp any host 10.20.20.1 eq 22
access-list 100 deny   tcp any host 10.20.20.1 eq www
access-list 100 deny   tcp any host 10.20.20.1 eq 443
access-list 100 deny   tcp any host 10.20.20.1 eq cmd
access-list 100 deny   udp any host 10.20.20.1 eq snmp
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny   tcp any any eq smtp
access-list 100 permit ip any any
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 4

Expert Comment

by:ckozloski
ID: 22690372
This may be trivial but have you tried pinging by IP or DNS Name? Can you ping something outside by IP address? What DNS servers are your public servers using to resolve to?
0
 

Author Comment

by:JAMason1182
ID: 22690771
My public servers use our internal dns servers to resolve names. I  have tried pinging from the servers with both the IP and the DNS name.

When I ping from the server I can immediately go to the router and do a "sh ip nat translations" and see the successful nat translation. BUT, I never get a connection on the server. It is like it doesn't get anything back!

I guess my big question concerns my access-list 101 (incoming from my Serial port (internet)) and why the NATted address isn't coming BACK in for the servers. (Again, it works GREAT for the desktops!)

You'll notice the first thing I have listed is "permit tcp any any established".....




access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----

access-list 101 permit tcp any any established

access-list 101 remark ---- BLACKLIST ----

access-list 101 deny   ip host 66.199.187.181 any

access-list 101 deny   udp any any range 1025 1028

access-list 101 remark ---- Allow NTP ----

access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp

access-list 101 remark ---- Allow PING ----

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any

access-list 101 remark ---- Allow VPN connection Access ----

access-list 101 permit esp any host XXX.XX.XX.78

access-list 101 permit ahp any host XXX.XX.XX.78

access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp

access-list 101 remark ---- Block local on external and broadcasts ----

access-list 101 deny   ip any 0.0.0.255 255.255.255.0

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 remark ---- Block Erroneous Service Ports ----

access-list 101 deny   tcp any any range 6000 6003

access-list 101 deny   tcp any any range 2000 2003

access-list 101 remark ---- Block NFS Service ----

access-list 101 deny   tcp any any eq 2049

access-list 101 deny   udp any any eq 2049

access-list 101 remark ---- Block NETBIOS/SMB Service ----

access-list 101 deny   tcp any any eq 138

access-list 101 deny   tcp any any eq 445

access-list 101 deny   udp any any eq netbios-ns

access-list 101 deny   udp any any eq netbios-dgm

access-list 101 permit tcp any host XXX.XX.XX.84 eq www

access-list 101 permit tcp any host XXX.XX.XX.84 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq www

access-list 101 permit tcp any host XXX.XX.XX.83 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3

access-list 101 permit tcp any host XXX.XX.XX.83 eq 143

access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp

access-list 101 permit tcp any host XXX.XX.XX.81 eq domain

access-list 101 permit udp any host XXX.XX.XX.81 eq domain

access-list 101 permit tcp any host XXX.XX.XX.82 eq domain

access-list 101 permit udp any host XXX.XX.XX.82 eq domain

access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----

access-list 101 permit udp any host XXX.XX.XX.78

access-list 101 deny   udp any any log

Open in new window

0
 

Author Comment

by:JAMason1182
ID: 22691216
OK, here's something new... somehow I have lost the ability to communicate with xxx.xx.xx.83 with anyone outside the LAN at all.... not even that which is opened up explicitly with the ACL.

I did do a check however to see if my router could hit the same server my 83 server was trying to hit... viola, no problem.

So, I'll repost my entire config (not VPN stuff obviously, but ACLs and port info). Something is seriously wrong here!
(oh, and I added logs to EVERY ACL deny statement.... I'm not getting any logs when my 83 server doesn't get out.)

WAIT! Don't ask. I can easily get from the 83 server to every other comp in the LAN, including the router (the 83 server is the machine I am going through to configure the router)

Please help!



interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description Secondary interface - External

 ip address 10.20.21.2 255.255.255.0 secondary

 ip address 10.20.21.3 255.255.255.0 secondary

 ip address 10.20.21.1 255.255.255.0

 ip access-group 102 in

 ip nat outside

 ip virtual-reassembly

 shutdown

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 description $ES_LAN$$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.8 255.255.255.0 secondary

 ip address 192.168.2.8 255.255.255.0 secondary

 ip address 10.20.20.1 255.255.255.0

 ip access-group 100 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface Serial0/0/0

 description External - T1$FW_OUTSIDE$$ES_WAN$

 ip address XXX.XX.XX.81 255.255.255.248 secondary

 ip address XXX.XX.XX.82 255.255.255.248 secondary

 ip address XXX.XX.XX.83 255.255.255.248 secondary

 ip address XXX.XX.XX.84 255.255.255.248 secondary

 ip address XXX.XX.XX.85 255.255.255.248 secondary

 ip address XXX.XX.XX.78 255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 crypto map CMAP

!

ip local pool vpn1 192.168.3.1 192.168.3.254

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 106 interface Serial0/0/0 overload

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

ip nat inside source static 10.20.20.49 XXX.XX.XX.82

ip nat inside source static 10.20.20.52 XXX.XX.XX.83

ip nat inside source static 10.20.20.50 XXX.XX.XX.84

!

logging trap warnings

access-list 2 remark ########### Router Configuration Access (local only)##########

access-list 2 permit 10.20.20.0 0.0.0.255

access-list 2 deny   any
 

access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd

access-list 100 deny   tcp any host 10.20.20.1 eq telnet log

access-list 100 deny   tcp any host 10.20.20.1 eq 22 log

access-list 100 deny   tcp any host 10.20.20.1 eq www log

access-list 100 deny   tcp any host 10.20.20.1 eq 443 log

access-list 100 deny   tcp any host 10.20.20.1 eq cmd log

access-list 100 deny   udp any host 10.20.20.1 eq snmp log
 

access-list 100 remark --Don't want to be email blocked! so only our server can send...

access-list 100 permit tcp host 10.20.20.52 any eq smtp

access-list 100 remark --I trust myself, so I can send...

access-list 100 permit tcp host 10.20.20.114 any eq smtp

access-list 100 deny   tcp any any eq smtp log

access-list 100 permit ip any any
 

access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----

access-list 101 remark ---- BLACKLIST ----

access-list 101 deny   ip host 66.199.187.181 any log

access-list 101 deny   udp any any range 1025 1028 log

access-list 101 remark ---- Allow Established ----

access-list 101 permit tcp any any established

access-list 101 remark ---- Allow NTP ----

access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp

access-list 101 remark ---- Allow PING ----

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any log

access-list 101 remark ---- Allow VPN connection Access ----

access-list 101 permit esp any host XXX.XX.XX.78

access-list 101 permit ahp any host XXX.XX.XX.78

access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp

access-list 101 remark ---- Block local on external and broadcasts ----

access-list 101 deny   ip any 0.0.0.255 255.255.255.0 log

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log

access-list 101 remark ---- Block Erroneous Service Ports ----

access-list 101 deny   tcp any any range 6000 6003 log

access-list 101 deny   tcp any any range 2000 2003 log

access-list 101 remark ---- Block NFS Service ----

access-list 101 deny   tcp any any eq 2049 log

access-list 101 deny   udp any any eq 2049 log

access-list 101 remark ---- Block NETBIOS/SMB Service ----

access-list 101 deny   tcp any any eq 138 log

access-list 101 deny   tcp any any eq 445 log

access-list 101 deny   udp any any eq netbios-ns log

access-list 101 deny   udp any any eq netbios-dgm log

access-list 101 permit tcp any host XXX.XX.XX.84 eq www

access-list 101 permit tcp any host XXX.XX.XX.84 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq www

access-list 101 permit tcp any host XXX.XX.XX.83 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3

access-list 101 permit tcp any host XXX.XX.XX.83 eq 143

access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp

access-list 101 permit tcp any host XXX.XX.XX.81 eq domain

access-list 101 permit udp any host XXX.XX.XX.81 eq domain

access-list 101 permit tcp any host XXX.XX.XX.82 eq domain

access-list 101 permit udp any host XXX.XX.XX.82 eq domain

access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----

access-list 101 permit udp any host XXX.XX.XX.78

access-list 101 deny   udp any any log

access-list 101 deny   ip any any log
 

access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----

access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255 log

access-list 106 permit ip 10.20.20.0 0.0.0.255 any

access-list 150 permit ip 10.20.20.0 0.0.0.255 any

no cdp run

!

Open in new window

0
 

Accepted Solution

by:
JAMason1182 earned 0 total points
ID: 22702430
Wow. I figured it out. My ISP has obviously done something to the routes... pings going in and pings going out are dropped between my router and my gateway with my ISP. Traceroutes end with an infinite loop.

So I just called them and viola... they restored their good configuration of their router, thus I'm now in the clear. I told them to write the running-config to the startup-config.... like now.



0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Every morning - Cannot get online - Need to reboot Dell XPS PC 5 70
Classlful vs Classless subneting 18 62
network error 8 35
Filter IP range with PowerShell 1 27
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now