Solved

Cisco NAT/PAT translating but static nats cannot reach the internet

Posted on 2008-10-10
8
623 Views
Last Modified: 2008-10-18
I have the following router configuration. It isn't really that fancy. My internal network is on a 10.20.20.0 subnet and this includes the four servers: 10.20.20.50, 49, 48, and 52. They have static outside IPs we'll call XXX.XX.XX.81, 82, 83 and 84. I have a default outside IP of XX.XX.XX.78 to use for ALL traffic that isn't for these four machines.

I can access the machines from outside just fine... but these machines cannot get any access AT ALL to the outside. They can reply to incoming requests just fine, but I can't even do a ping to an outside IP address. I disabled my firewall access-lists altogether to prove to myself that it wasn't a firewall issue... and it isn't.

What's wrong with my nat config? I've tracked down that it may be due to overloading an interface... but I'm not sure!
(Also, note the 192.168.3.0... this is my vpn pool that works perfectly)

interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.8 255.255.255.0 secondary
 ip address 192.168.2.8 255.255.255.0 secondary
 ip address 10.20.20.1 255.255.255.0
 ip access-group 100 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description External - T1$FW_OUTSIDE$$ES_WAN$
 ip address XXX.XX.XX.81 255.255.255.248 secondary
 ip address XXX.XX.XX.82 255.255.255.248 secondary
 ip address XXX.XX.XX.83 255.255.255.248 secondary
 ip address XXX.XX.XX.84 255.255.255.248 secondary
 ip address XXX.XX.XX.85 255.255.255.248 secondary
 ip address XXX.XX.XX.78 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 106 interface Serial0/0/0 overload
ip nat inside source static 10.20.20.48 XXX.XX.XX.81
ip nat inside source static 10.20.20.49 XXX.XX.XX.82
ip nat inside source static 10.20.20.52 XXX.XX.XX.83
ip nat inside source static 10.20.20.50 XXX.XX.XX.84
!
(access-lists not shown except the nat acl)
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 permit ip 10.20.20.0 0.0.0.255 any

Open in new window

0
Comment
Question by:JAMason1182
8 Comments
 
LVL 2

Expert Comment

by:Matt1705
ID: 22689463
You have left a bunch on your config file, but the problem is probably because messages from your servers to the outside are leaving labeled as coming from X.78.   When they return to the X.78 address they are being routed to your other subnet.
0
 

Author Comment

by:JAMason1182
ID: 22689527
Well, here's a copy of the "sh ip nat translations" command. You'll see that the 81,82,83, and 84 are being translated correctly. Also, the 78 has about 100 entries, so I know that the desktops are all getting an outside address of xxx.xx.xx.78. Also, I have "debug ip packet" and "debug ip nat" enabled, and here's a snippet of the log (below the sh ip nat translations) pertaining to an attempt at connecting to google from my 83 server.


midnr001#sh ip nat translations
 
Pro Inside global         Inside local          Outside local         Outside global
--- XXX.XX.XX.81          10.20.20.48           ---                   ---
udp XXX.XX.XX.82:123      10.20.20.49:123       128.194.254.7:123     128.194.254.7:123
--- XXX.XX.XX.82          10.20.20.49           ---                   ---
udp XXX.XX.XX.84:123      10.20.20.50:123       128.194.254.8:123     128.194.254.8:123
tcp XXX.XX.XX.84:33400    10.20.20.50:33400     12.120.18.110:80      12.120.18.110:80
tcp XXX.XX.XX.84:33402    10.20.20.50:33402     12.120.18.110:80      12.120.18.110:80
tcp XXX.XX.XX.84:33403    10.20.20.50:33403     12.120.18.110:80      12.120.18.110:80
--- XXX.XX.XX.84          10.20.20.50           ---                   ---
--- XXX.XX.XX.83          10.20.20.52           ---                   ---
udp XXX.XX.XX.78:50074    10.20.20.54:50074     216.10.32.10:53       XXX.XX.32.10:53
udp XXX.XX.XX.78:50310    10.20.20.54:50310     216.10.32.10:53       XXX.XX.32.10:53
udp XXX.XX.XX.78:51089    10.20.20.54:51089     216.10.32.10:53       XXX.XX.32.10:53
udp XXX.XX.XX.78:51438    10.20.20.54:51438     216.10.32.10:53       XXX.XX.32.10:53
udp XXX.XX.XX.78:52292    10.20.20.54:52292     216.10.32.10:53       XXX.XX.32.10:53
udp XXX.XX.XX.78:52449    10.20.20.54:52449     216.10.32.10:53       XXX.XX.32.10:53
udp XXX.XX.XX.78:52552    10.20.20.54:52552     216.10.32.10:53       XXX.XX.32.10:53
 
 
midnr001#sh log | include 74.125.45.99
944746: .Oct 10 12:47:14.980 Chicago: NAT*: s=10.20.20.52->XXX.XX.XX.83, d=74.125.45.99 [40340]

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 22690152
What does access list 100 look like?  This is the one applied inbound to your inside router interface....
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:JAMason1182
ID: 22690313
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny   tcp any host 10.20.20.1 eq telnet
access-list 100 deny   tcp any host 10.20.20.1 eq 22
access-list 100 deny   tcp any host 10.20.20.1 eq www
access-list 100 deny   tcp any host 10.20.20.1 eq 443
access-list 100 deny   tcp any host 10.20.20.1 eq cmd
access-list 100 deny   udp any host 10.20.20.1 eq snmp
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny   tcp any any eq smtp
access-list 100 permit ip any any
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22690372
This may be trivial but have you tried pinging by IP or DNS Name? Can you ping something outside by IP address? What DNS servers are your public servers using to resolve to?
0
 

Author Comment

by:JAMason1182
ID: 22690771
My public servers use our internal dns servers to resolve names. I  have tried pinging from the servers with both the IP and the DNS name.

When I ping from the server I can immediately go to the router and do a "sh ip nat translations" and see the successful nat translation. BUT, I never get a connection on the server. It is like it doesn't get anything back!

I guess my big question concerns my access-list 101 (incoming from my Serial port (internet)) and why the NATted address isn't coming BACK in for the servers. (Again, it works GREAT for the desktops!)

You'll notice the first thing I have listed is "permit tcp any any established".....




access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----
access-list 101 permit tcp any any established
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny   ip host 66.199.187.181 any
access-list 101 deny   udp any any range 1025 1028
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny   ip any 0.0.0.255 255.255.255.0
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny   tcp any any range 6000 6003
access-list 101 deny   tcp any any range 2000 2003
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny   tcp any any eq 2049
access-list 101 deny   udp any any eq 2049
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny   tcp any any eq 138
access-list 101 deny   tcp any any eq 445
access-list 101 deny   udp any any eq netbios-ns
access-list 101 deny   udp any any eq netbios-dgm
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny   udp any any log

Open in new window

0
 

Author Comment

by:JAMason1182
ID: 22691216
OK, here's something new... somehow I have lost the ability to communicate with xxx.xx.xx.83 with anyone outside the LAN at all.... not even that which is opened up explicitly with the ACL.

I did do a check however to see if my router could hit the same server my 83 server was trying to hit... viola, no problem.

So, I'll repost my entire config (not VPN stuff obviously, but ACLs and port info). Something is seriously wrong here!
(oh, and I added logs to EVERY ACL deny statement.... I'm not getting any logs when my 83 server doesn't get out.)

WAIT! Don't ask. I can easily get from the 83 server to every other comp in the LAN, including the router (the 83 server is the machine I am going through to configure the router)

Please help!


interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Secondary interface - External
 ip address 10.20.21.2 255.255.255.0 secondary
 ip address 10.20.21.3 255.255.255.0 secondary
 ip address 10.20.21.1 255.255.255.0
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.8 255.255.255.0 secondary
 ip address 192.168.2.8 255.255.255.0 secondary
 ip address 10.20.20.1 255.255.255.0
 ip access-group 100 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description External - T1$FW_OUTSIDE$$ES_WAN$
 ip address XXX.XX.XX.81 255.255.255.248 secondary
 ip address XXX.XX.XX.82 255.255.255.248 secondary
 ip address XXX.XX.XX.83 255.255.255.248 secondary
 ip address XXX.XX.XX.84 255.255.255.248 secondary
 ip address XXX.XX.XX.85 255.255.255.248 secondary
 ip address XXX.XX.XX.78 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 106 interface Serial0/0/0 overload
ip nat inside source static 10.20.20.48 XXX.XX.XX.81
ip nat inside source static 10.20.20.49 XXX.XX.XX.82
ip nat inside source static 10.20.20.52 XXX.XX.XX.83
ip nat inside source static 10.20.20.50 XXX.XX.XX.84
!
logging trap warnings
access-list 2 remark ########### Router Configuration Access (local only)##########
access-list 2 permit 10.20.20.0 0.0.0.255
access-list 2 deny   any
 
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny   tcp any host 10.20.20.1 eq telnet log
access-list 100 deny   tcp any host 10.20.20.1 eq 22 log
access-list 100 deny   tcp any host 10.20.20.1 eq www log
access-list 100 deny   tcp any host 10.20.20.1 eq 443 log
access-list 100 deny   tcp any host 10.20.20.1 eq cmd log
access-list 100 deny   udp any host 10.20.20.1 eq snmp log
 
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny   tcp any any eq smtp log
access-list 100 permit ip any any
 
access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny   ip host 66.199.187.181 any log
access-list 101 deny   udp any any range 1025 1028 log
access-list 101 remark ---- Allow Established ----
access-list 101 permit tcp any any established
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any log
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny   ip any 0.0.0.255 255.255.255.0 log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny   tcp any any range 6000 6003 log
access-list 101 deny   tcp any any range 2000 2003 log
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny   tcp any any eq 2049 log
access-list 101 deny   udp any any eq 2049 log
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny   udp any any log
access-list 101 deny   ip any any log
 
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255 log
access-list 106 permit ip 10.20.20.0 0.0.0.255 any
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
no cdp run
!

Open in new window

0
 

Accepted Solution

by:
JAMason1182 earned 0 total points
ID: 22702430
Wow. I figured it out. My ISP has obviously done something to the routes... pings going in and pings going out are dropped between my router and my gateway with my ISP. Traceroutes end with an infinite loop.

So I just called them and viola... they restored their good configuration of their router, thus I'm now in the clear. I told them to write the running-config to the startup-config.... like now.



0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question