Solved

Nat not working

Posted on 2008-10-28
5
687 Views
Last Modified: 2012-05-05
am trying to setup NAT Translation on a cisco 1841 to allow FTP traffic to forward to an internal VLAN address.  The problem is that it is simply not working, it is not getting through and I am well stuck.

We have a Cisco 1841 provided by the supplier that bascially is invisible as far as this task is concerned, behind it we have serveral cisco devices, it is one of these that I am trying to get the nat translation working, it is a cisco 1841 configured with approx 50 Vlans behind, all is in place and internet access is fine, I even managed to get VPN properly configured on one of these vlan's.

What am i missing - this is driving me mad, I have added and removed the translations, access-lists, and messed around with the firewall rules, the vlan is 92.  I even tried setting up rdp access on the default vlan to my laptop - nothing.... argggggg

please see a cut down version of the config:

Many thanks
0
Comment
Question by:eatkinson0
  • 3
5 Comments
 
LVL 23

Expert Comment

by:that1guy15
ID: 22823209
will you post your config?
0
 

Author Comment

by:eatkinson0
ID: 22823246

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HOST
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
 
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef table adjacency-prefix validate
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 141.1.1.1
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
 match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 107
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
 match protocol pptp
 match protocol l2tp
 match class-map SDM_GRE
class-map type inspect match-all SDM_VPN_PT
 match access-group 102
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any FTP-Allow
 match protocol ftp
 match protocol ftps
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
 match protocol http
 match protocol msrpc
 match protocol ftp
 match protocol ftps
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match class-map sdm-service-sdm-inspect-1
class-map type inspect match-any permitftp
 match protocol ftp
 match protocol ftps
 match protocol msrpc
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  pass
 class type inspect sdm-cls-VPNOutsideToInside-2
  pass
 class type inspect sdm-cls-VPNOutsideToInside-3
  pass
 class type inspect sdm-cls-VPNOutsideToInside-4
  pass
 class type inspect sdm-cls-VPNOutsideToInside-5
  pass
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect permitftp
  pass
 class class-default
policy-map type inspect sdm-permit
 class type inspect FTP-Allow
  pass
 class type inspect SDM_VPN_PT
  pass
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key HOST1 address HOST2
!
!
crypto ipsec transform-set host esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 set peer HOST2
 set transform-set ESP-3DES-MD5 
 set pfs group2
 match address 110
!
!
!
!
interface FastEthernet0/0
 description INSIDE
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0.1
 description DEFAULT
 encapsulation dot1Q 1 native
 ip address 10.1.1.1 255.255.255.0
 ip access-group 149 in
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 no cdp enable
!
 
!
interface FastEthernet0/0.92
  encapsulation dot1Q 92
 ip address 10.1.92.1 255.255.255.0
 ip access-group 121 in
 no ip unreachables
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 no cdp enable
!
!
interface FastEthernet0/1
 description OUTSIDE
 ip address 195.2.2.2 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 195.2.2.1
ip route 10.0.0.0 255.255.255.0 FastEthernet0/1 195.2.2.1
ip route 80.0.0.0 255.255.255.255 FastEthernet0/1 195.2.2.1
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.1.1.4 3389 interface FastEthernet0/1 3389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.1.92.13 21 195.2.2.3 21 extendable
ip nat inside source static tcp 10.1.92.13 20 195.2.2.2 20 extendable
ip nat inside source static tcp 10.1.92.13 21 195.2.2.2 21 extendable
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark SDM_ACL Category=0
 permit gre any any
!
logging trap debugging
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.255.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 195.2.2.1 0.0.0.15 any
access-list 101 permit ip 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 102 permit ip host 80.168.100.3 any
access-list 103 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255
access-list 104 deny   tcp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 104 deny   udp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 104 deny   icmp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 104 deny   ip 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 104 permit ip 10.1.19.0 0.0.0.255 any
access-list 104 permit ip 10.1.0.0 0.0.255.255 any
access-list 104 permit tcp 10.1.92.0 0.0.0.255 any
access-list 105 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255
access-list 106 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255
access-list 107 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255
access-list 108 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255
access-list 109 permit ip 10.1.1.0 0.0.0.255 any
access-list 110 permit ip 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 110 permit icmp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 110 permit udp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 110 permit tcp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255
access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 119 permit tcp any any eq 443
access-list 119 permit tcp any any eq smtp
access-list 119 permit tcp any any eq pop3
access-list 119 deny   tcp any any eq telnet
access-list 119 deny   udp any any eq tftp
access-list 119 deny   tcp any any eq 4444
access-list 119 deny   tcp any any eq 135
access-list 119 deny   udp any any eq 135
access-list 119 deny   udp any any eq netbios-ns
access-list 119 deny   udp any any eq netbios-dgm
access-list 119 deny   udp any any eq netbios-ss
access-list 119 deny   tcp any any eq 139
access-list 119 deny   tcp any any eq 445
access-list 119 deny   tcp any any eq 593
access-list 119 deny   ip any 10.1.0.0 0.0.255.255
access-list 119 permit ip any any
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq telnet
access-list 120 deny   udp any any eq tftp
access-list 120 deny   tcp any any eq 4444
access-list 120 deny   tcp any any eq 135
access-list 120 deny   udp any any eq 135
access-list 120 deny   udp any any eq netbios-ns
access-list 120 deny   udp any any eq netbios-dgm
access-list 120 deny   udp any any eq netbios-ss
access-list 120 deny   tcp any any eq 139
access-list 120 deny   tcp any any eq 445
access-list 120 deny   tcp any any eq 593
access-list 120 permit ip any any
access-list 121 permit tcp any any eq 22
access-list 121 permit tcp any any eq ftp-data
access-list 121 permit tcp any any eq ftp
access-list 121 permit tcp any any eq 443
access-list 121 permit icmp any any
access-list 121 permit tcp any any eq 3389
access-list 121 permit tcp any any eq 4445
access-list 121 permit tcp any any eq smtp
access-list 121 permit tcp any any eq pop3
access-list 121 deny   tcp any any eq telnet
access-list 121 deny   udp any any eq tftp
access-list 121 deny   tcp any any eq 4444
access-list 121 deny   tcp any any eq 135
access-list 121 deny   udp any any eq 135
access-list 121 deny   udp any any eq netbios-ns
access-list 121 deny   udp any any eq netbios-dgm
access-list 121 deny   udp any any eq netbios-ss
access-list 121 deny   tcp any any eq 139
access-list 121 deny   tcp any any eq 445
access-list 121 deny   tcp any any eq 593
access-list 121 permit ip any 10.1.1.0 0.0.0.255
access-list 121 deny   ip any 10.1.0.0 0.0.255.255
access-list 121 permit ip any any
access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq telnet
access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 22
access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq www
access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 443
access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq cmd
access-list 149 deny   tcp any host 10.1.1.1 eq telnet
access-list 149 deny   tcp any host 10.1.1.1 eq 22
access-list 149 deny   tcp any host 10.1.1.1 eq www
access-list 149 deny   tcp any host 10.1.1.1 eq 443
access-list 149 deny   tcp any host 10.1.1.1 eq cmd
access-list 149 deny   udp any host 10.1.1.1 eq snmp
access-list 149 permit tcp any any eq ftp
access-list 149 permit tcp any any eq 443
access-list 149 permit tcp any any eq smtp
access-list 149 permit tcp any any eq pop3
access-list 149 permit tcp any any eq 4445
access-list 149 permit tcp any any eq 3389
access-list 149 deny   tcp any any eq telnet
access-list 149 deny   udp any any eq tftp
access-list 149 deny   tcp any any eq 4444
access-list 149 deny   tcp any any eq 135
access-list 149 deny   udp any any eq 135
access-list 149 deny   udp any any eq netbios-ns
access-list 149 deny   udp any any eq netbios-dgm
access-list 149 deny   udp any any eq netbios-ss
access-list 149 deny   tcp any any eq 139
access-list 149 deny   tcp any any eq 445
access-list 149 deny   tcp any any eq 593
access-list 149 permit ip any any
 
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 109 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 111 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Open in new window

0
 
LVL 13

Expert Comment

by:Quori
ID: 22826440
Oh how I loathe SDM configs.

Anyways, a few suggested changed:

access-list 104 permit tcp 10.1.92.0 0.0.0.255 any
 - From 'tcp' to IP

Add FTP-Data to all of the inspection clauses.

Change the static NAT entries to reference outside via interface name as opposed to IP address:
ip nat inside source static tcp 10.1.92.13 20 interface FastEthernet0/1 20 extendable
ip nat inside source static tcp 10.1.92.13 21 interface FastEthernet0/1 21 extendable

Remove:
ip nat inside source static tcp 10.1.92.13 21 195.2.2.3 21 extendable

You can probably remote your routher two ip route statements in your config also, as they are not doing anything that the default route isn't doing already.

Also your ACLs are a mess - for example 121: you've specified a default action of permit ip any any essentially making all the other permit statements useless. Also in this ACL you're denying traffic from 10.1.0.0/16 which also isn't doing you any favors.



0
 

Author Comment

by:eatkinson0
ID: 22827621
Thank you for your suggestions - I will be out onsite tomorrow and will give these a shot.

I am a semi newbie and have been using the sdm as a safety net - I know poor excuse, but its the only one I got lol.  (one of these days I will grow up ;) )

Thank you again for taking the time to have a look - will let you know.
Eve
0
 

Accepted Solution

by:
eatkinson0 earned 0 total points
ID: 22839728
Thank for your help.  I had to strip out the firewall all together and sorted the access - via the access-lists, this is now working and all seems well..

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question