Solved

Nat not working

Posted on 2008-10-28
5
669 Views
Last Modified: 2012-05-05
am trying to setup NAT Translation on a cisco 1841 to allow FTP traffic to forward to an internal VLAN address.  The problem is that it is simply not working, it is not getting through and I am well stuck.

We have a Cisco 1841 provided by the supplier that bascially is invisible as far as this task is concerned, behind it we have serveral cisco devices, it is one of these that I am trying to get the nat translation working, it is a cisco 1841 configured with approx 50 Vlans behind, all is in place and internet access is fine, I even managed to get VPN properly configured on one of these vlan's.

What am i missing - this is driving me mad, I have added and removed the translations, access-lists, and messed around with the firewall rules, the vlan is 92.  I even tried setting up rdp access on the default vlan to my laptop - nothing.... argggggg

please see a cut down version of the config:

Many thanks
0
Comment
Question by:eatkinson0
  • 3
5 Comments
 
LVL 23

Expert Comment

by:that1guy15
ID: 22823209
will you post your config?
0
 

Author Comment

by:eatkinson0
ID: 22823246

!version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname HOST

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

 

!

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

no ip source-route

ip cef table adjacency-prefix validate

ip cef

!

!

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name yourdomain.com

ip name-server 141.1.1.1

ip name-server 4.2.2.1

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

 match access-group 103

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

 match access-group 106

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

 match access-group 105

class-map type inspect match-all sdm-cls-VPNOutsideToInside-5

 match access-group 108

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

 match access-group 107

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp extended

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-insp-traffic

 match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any SDM_GRE

 match access-group name SDM_GRE

class-map type inspect match-any SDM_VPN_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

 match protocol pptp

 match protocol l2tp

 match class-map SDM_GRE

class-map type inspect match-all SDM_VPN_PT

 match access-group 102

 match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any FTP-Allow

 match protocol ftp

 match protocol ftps

class-map type inspect match-any sdm-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any sdm-service-sdm-inspect-1

 match protocol http

 match protocol msrpc

 match protocol ftp

 match protocol ftps

class-map type inspect match-all sdm-invalid-src

 match access-group 100

class-map type inspect match-all sdm-icmp-access

 match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

 match class-map sdm-service-sdm-inspect-1

class-map type inspect match-any permitftp

 match protocol ftp

 match protocol ftps

 match protocol msrpc

!

!

policy-map type inspect sdm-permit-icmpreply

 class type inspect sdm-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

 class type inspect sdm-cls-VPNOutsideToInside-1

  pass

 class type inspect sdm-cls-VPNOutsideToInside-2

  pass

 class type inspect sdm-cls-VPNOutsideToInside-3

  pass

 class type inspect sdm-cls-VPNOutsideToInside-4

  pass

 class type inspect sdm-cls-VPNOutsideToInside-5

  pass

 class class-default

policy-map type inspect sdm-inspect

 class type inspect sdm-invalid-src

  drop log

 class type inspect sdm-insp-traffic

  inspect

 class type inspect sdm-protocol-http

  inspect

 class type inspect permitftp

  pass

 class class-default

policy-map type inspect sdm-permit

 class type inspect FTP-Allow

  pass

 class type inspect SDM_VPN_PT

  pass

 class class-default

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

 service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

 service-policy type inspect sdm-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

 service-policy type inspect sdm-pol-VPNOutsideToInside-1

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr 3des

 hash md5

 authentication pre-share

!

crypto isakmp policy 3

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key HOST1 address HOST2

!

!

crypto ipsec transform-set host esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac 

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 set peer HOST2

 set transform-set ESP-3DES-MD5 

 set pfs group2

 match address 110

!

!

!

!

interface FastEthernet0/0

 description INSIDE

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/0.1

 description DEFAULT

 encapsulation dot1Q 1 native

 ip address 10.1.1.1 255.255.255.0

 ip access-group 149 in

 no ip unreachables

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

 no cdp enable

!

 

!

interface FastEthernet0/0.92

  encapsulation dot1Q 92

 ip address 10.1.92.1 255.255.255.0

 ip access-group 121 in

 no ip unreachables

 ip accounting output-packets

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

 no cdp enable

!

!

interface FastEthernet0/1

 description OUTSIDE

 ip address 195.2.2.2 255.255.255.240

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

 crypto map SDM_CMAP_1

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 195.2.2.1

ip route 10.0.0.0 255.255.255.0 FastEthernet0/1 195.2.2.1

ip route 80.0.0.0 255.255.255.255 FastEthernet0/1 195.2.2.1

!

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 10.1.1.4 3389 interface FastEthernet0/1 3389

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.1.92.13 21 195.2.2.3 21 extendable

ip nat inside source static tcp 10.1.92.13 20 195.2.2.2 20 extendable

ip nat inside source static tcp 10.1.92.13 21 195.2.2.2 21 extendable

!

ip access-list extended SDM_AH

 remark SDM_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark SDM_ACL Category=1

 permit esp any any

ip access-list extended SDM_GRE

 remark SDM_ACL Category=0

 permit gre any any

!

logging trap debugging

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 10.1.0.0 0.0.255.255

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 195.2.2.1 0.0.0.15 any

access-list 101 permit ip 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 102 permit ip host 80.168.100.3 any

access-list 103 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255

access-list 104 deny   tcp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 104 deny   udp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 104 deny   icmp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 104 deny   ip 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 104 permit ip 10.1.19.0 0.0.0.255 any

access-list 104 permit ip 10.1.0.0 0.0.255.255 any

access-list 104 permit tcp 10.1.92.0 0.0.0.255 any

access-list 105 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255

access-list 106 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255

access-list 107 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255

access-list 108 permit ip 10.30.0.0 0.0.0.255 10.1.19.0 0.0.0.255

access-list 109 permit ip 10.1.1.0 0.0.0.255 any

access-list 110 permit ip 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 110 permit icmp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 110 permit udp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 110 permit tcp 10.1.19.0 0.0.0.255 10.30.0.0 0.0.0.255

access-list 111 permit ip 10.1.1.0 0.0.0.255 any

access-list 119 permit tcp any any eq 443

access-list 119 permit tcp any any eq smtp

access-list 119 permit tcp any any eq pop3

access-list 119 deny   tcp any any eq telnet

access-list 119 deny   udp any any eq tftp

access-list 119 deny   tcp any any eq 4444

access-list 119 deny   tcp any any eq 135

access-list 119 deny   udp any any eq 135

access-list 119 deny   udp any any eq netbios-ns

access-list 119 deny   udp any any eq netbios-dgm

access-list 119 deny   udp any any eq netbios-ss

access-list 119 deny   tcp any any eq 139

access-list 119 deny   tcp any any eq 445

access-list 119 deny   tcp any any eq 593

access-list 119 deny   ip any 10.1.0.0 0.0.255.255

access-list 119 permit ip any any

access-list 120 permit tcp any any eq 443

access-list 120 permit tcp any any eq telnet

access-list 120 deny   udp any any eq tftp

access-list 120 deny   tcp any any eq 4444

access-list 120 deny   tcp any any eq 135

access-list 120 deny   udp any any eq 135

access-list 120 deny   udp any any eq netbios-ns

access-list 120 deny   udp any any eq netbios-dgm

access-list 120 deny   udp any any eq netbios-ss

access-list 120 deny   tcp any any eq 139

access-list 120 deny   tcp any any eq 445

access-list 120 deny   tcp any any eq 593

access-list 120 permit ip any any

access-list 121 permit tcp any any eq 22

access-list 121 permit tcp any any eq ftp-data

access-list 121 permit tcp any any eq ftp

access-list 121 permit tcp any any eq 443

access-list 121 permit icmp any any

access-list 121 permit tcp any any eq 3389

access-list 121 permit tcp any any eq 4445

access-list 121 permit tcp any any eq smtp

access-list 121 permit tcp any any eq pop3

access-list 121 deny   tcp any any eq telnet

access-list 121 deny   udp any any eq tftp

access-list 121 deny   tcp any any eq 4444

access-list 121 deny   tcp any any eq 135

access-list 121 deny   udp any any eq 135

access-list 121 deny   udp any any eq netbios-ns

access-list 121 deny   udp any any eq netbios-dgm

access-list 121 deny   udp any any eq netbios-ss

access-list 121 deny   tcp any any eq 139

access-list 121 deny   tcp any any eq 445

access-list 121 deny   tcp any any eq 593

access-list 121 permit ip any 10.1.1.0 0.0.0.255

access-list 121 deny   ip any 10.1.0.0 0.0.255.255

access-list 121 permit ip any any

access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq telnet

access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 22

access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq www

access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq 443

access-list 149 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.1 eq cmd

access-list 149 deny   tcp any host 10.1.1.1 eq telnet

access-list 149 deny   tcp any host 10.1.1.1 eq 22

access-list 149 deny   tcp any host 10.1.1.1 eq www

access-list 149 deny   tcp any host 10.1.1.1 eq 443

access-list 149 deny   tcp any host 10.1.1.1 eq cmd

access-list 149 deny   udp any host 10.1.1.1 eq snmp

access-list 149 permit tcp any any eq ftp

access-list 149 permit tcp any any eq 443

access-list 149 permit tcp any any eq smtp

access-list 149 permit tcp any any eq pop3

access-list 149 permit tcp any any eq 4445

access-list 149 permit tcp any any eq 3389

access-list 149 deny   tcp any any eq telnet

access-list 149 deny   udp any any eq tftp

access-list 149 deny   tcp any any eq 4444

access-list 149 deny   tcp any any eq 135

access-list 149 deny   udp any any eq 135

access-list 149 deny   udp any any eq netbios-ns

access-list 149 deny   udp any any eq netbios-dgm

access-list 149 deny   udp any any eq netbios-ss

access-list 149 deny   tcp any any eq 139

access-list 149 deny   tcp any any eq 445

access-list 149 deny   tcp any any eq 593

access-list 149 permit ip any any

 

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

 match ip address 104

!

!

!

!

control-plane

!

!

banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 login local

 transport output telnet

line aux 0

 login local

 transport output telnet

line vty 0 4

 access-class 109 in

 privilege level 15

 login local

 transport input telnet ssh

line vty 5 15

 access-class 111 in

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler allocate 20000 1000

end

Open in new window

0
 
LVL 13

Expert Comment

by:Quori
ID: 22826440
Oh how I loathe SDM configs.

Anyways, a few suggested changed:

access-list 104 permit tcp 10.1.92.0 0.0.0.255 any
 - From 'tcp' to IP

Add FTP-Data to all of the inspection clauses.

Change the static NAT entries to reference outside via interface name as opposed to IP address:
ip nat inside source static tcp 10.1.92.13 20 interface FastEthernet0/1 20 extendable
ip nat inside source static tcp 10.1.92.13 21 interface FastEthernet0/1 21 extendable

Remove:
ip nat inside source static tcp 10.1.92.13 21 195.2.2.3 21 extendable

You can probably remote your routher two ip route statements in your config also, as they are not doing anything that the default route isn't doing already.

Also your ACLs are a mess - for example 121: you've specified a default action of permit ip any any essentially making all the other permit statements useless. Also in this ACL you're denying traffic from 10.1.0.0/16 which also isn't doing you any favors.



0
 

Author Comment

by:eatkinson0
ID: 22827621
Thank you for your suggestions - I will be out onsite tomorrow and will give these a shot.

I am a semi newbie and have been using the sdm as a safety net - I know poor excuse, but its the only one I got lol.  (one of these days I will grow up ;) )

Thank you again for taking the time to have a look - will let you know.
Eve
0
 

Accepted Solution

by:
eatkinson0 earned 0 total points
ID: 22839728
Thank for your help.  I had to strip out the firewall all together and sorted the access - via the access-lists, this is now working and all seems well..

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now