Solved

static nat / port forwarding a range

Posted on 2009-07-06
9
597 Views
Last Modified: 2012-05-07
I am trying to setup 2 static nat entries with an acl to forward a range of ports to 2 internal servers.  When I setup the acl on fasteth0 the nat entries work only one way.  The public can access the internal servers, but if you try to browse the web or other internet protocols from the internal servers you can't.  See below:

IOS (tm) C2600 Software (C2600-I-M), Version 12.2(29b), RELEASE SOFTWARE (fc1

interface FastEthernet0/0
 ip address 207.164.206.23 255.255.255.224 secondary
 ip address 207.164.206.24 255.255.255.224 secondary
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 172.16.2.10 207.164.206.23
ip nat inside source static 172.16.2.11 207.164.206.24

access-list 100 permit tcp any host 207.164.206.22 eq 3393
access-list 100 permit tcp any host 207.164.206.23 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.22 eq 3389
access-list 100 deny   ip any any


0
Comment
Question by:nbhasin
  • 5
  • 4
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785393
1) map the internal to the external (if applicable)

    ip nat outside source static 207.164.206.23 172.16.2.10
    ip nat outside source static 207.164.206.24 172.16.2.11

2) You do not need to list these as secondaries on the public interface:
    ip address 207.164.206.23 255.255.255.224 secondary
    ip address 207.164.206.24 255.255.255.224 secondary

3) modify the acl to allow traffic that originates from the inside to go out:
    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393
    access-list 100 permit tcp any host 207.164.206.23 eq 3394
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389
    access-list 100 deny   ip any any
0
 

Author Comment

by:nbhasin
ID: 24785652
I have modified as per your suggestion, still doesn't work see below.

interface FastEthernet0/0
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat outside source static 207.164.206.23 172.16.2.10
ip nat outside source static 207.164.206.24 172.16.2.11

access-list 100 permit tcp any 0.0.0.0 255.255.255.224 established
access-list 100 permit tcp any host 207.164.206.23 eq 3393
access-list 100 permit tcp any host 207.164.206.24 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.23 range 20000 20299
access-list 100 permit tcp any host 207.164.206.24 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.23 eq 3389
access-list 100 deny   ip any any

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24785769
What does a "show log" indicate for a particular machine in question?
0
 

Author Comment

by:nbhasin
ID: 24785866
Not sure if this is what you are asking for?

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 26 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 30 message lines logged
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 24786010
sh log | i 207.164.206.23

and

sh log | i 207.164.206.24

You might also need to tweak your logging statements:
   logging buffered 32768 debugging
   logging on
0
 

Author Comment

by:nbhasin
ID: 24786179
this is all i get:

sh log | i 207.164.206.23
mhsystem#sh log | i 207.164.206.24
mhsystem#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 31 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 4 messages logged
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 35 message lines logged

Log Buffer (32769 bytes):

2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by console
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24786336
Do this:

    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393 log
    access-list 100 permit tcp any host 207.164.206.23 eq 3394 log
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299 log
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299 log
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389 log
    access-list 100 deny   ip any any log


Run a test and then please output:

show access-list 100

And:

sh log | i 207.164.206.22
sh log | i 207.164.206.23
sh log | i 207.164.206.24
0
 

Author Comment

by:nbhasin
ID: 24786358
this is what i get, by the way I don't get any output with the sh log | i 207.164.206.23, etc commands:

#sh access-list 100
Extended IP access list 100
    permit tcp any any established (1952 matches)
    permit tcp any host 207.164.206.23 eq 3393
    permit tcp any host 207.164.206.24 eq 3394
    permit tcp any any eq telnet
    permit tcp any host 207.164.206.23 range 20000 20299 (6 matches)
    permit tcp any host 207.164.206.24 range 30000 30299
    permit tcp any any eq domain
    permit udp any any eq domain
    permit tcp any host 207.164.206.23 eq 3389 (2 matches)
    deny ip any any (183 matches)
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24786522
If you re-write the ACL with the 'log' statements where needed, we can better troubleshoot the problem.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now