Solved

static nat / port forwarding a range

Posted on 2009-07-06
9
606 Views
Last Modified: 2012-05-07
I am trying to setup 2 static nat entries with an acl to forward a range of ports to 2 internal servers.  When I setup the acl on fasteth0 the nat entries work only one way.  The public can access the internal servers, but if you try to browse the web or other internet protocols from the internal servers you can't.  See below:

IOS (tm) C2600 Software (C2600-I-M), Version 12.2(29b), RELEASE SOFTWARE (fc1

interface FastEthernet0/0
 ip address 207.164.206.23 255.255.255.224 secondary
 ip address 207.164.206.24 255.255.255.224 secondary
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 172.16.2.10 207.164.206.23
ip nat inside source static 172.16.2.11 207.164.206.24

access-list 100 permit tcp any host 207.164.206.22 eq 3393
access-list 100 permit tcp any host 207.164.206.23 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.22 eq 3389
access-list 100 deny   ip any any


0
Comment
Question by:nbhasin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24785393
1) map the internal to the external (if applicable)

    ip nat outside source static 207.164.206.23 172.16.2.10
    ip nat outside source static 207.164.206.24 172.16.2.11

2) You do not need to list these as secondaries on the public interface:
    ip address 207.164.206.23 255.255.255.224 secondary
    ip address 207.164.206.24 255.255.255.224 secondary

3) modify the acl to allow traffic that originates from the inside to go out:
    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393
    access-list 100 permit tcp any host 207.164.206.23 eq 3394
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389
    access-list 100 deny   ip any any
0
 

Author Comment

by:nbhasin
ID: 24785652
I have modified as per your suggestion, still doesn't work see below.

interface FastEthernet0/0
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat outside source static 207.164.206.23 172.16.2.10
ip nat outside source static 207.164.206.24 172.16.2.11

access-list 100 permit tcp any 0.0.0.0 255.255.255.224 established
access-list 100 permit tcp any host 207.164.206.23 eq 3393
access-list 100 permit tcp any host 207.164.206.24 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.23 range 20000 20299
access-list 100 permit tcp any host 207.164.206.24 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.23 eq 3389
access-list 100 deny   ip any any

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24785769
What does a "show log" indicate for a particular machine in question?
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 

Author Comment

by:nbhasin
ID: 24785866
Not sure if this is what you are asking for?

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 26 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 30 message lines logged
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24786010
sh log | i 207.164.206.23

and

sh log | i 207.164.206.24

You might also need to tweak your logging statements:
   logging buffered 32768 debugging
   logging on
0
 

Author Comment

by:nbhasin
ID: 24786179
this is all i get:

sh log | i 207.164.206.23
mhsystem#sh log | i 207.164.206.24
mhsystem#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 31 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 4 messages logged
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 35 message lines logged

Log Buffer (32769 bytes):

2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by console
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24786336
Do this:

    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393 log
    access-list 100 permit tcp any host 207.164.206.23 eq 3394 log
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299 log
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299 log
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389 log
    access-list 100 deny   ip any any log


Run a test and then please output:

show access-list 100

And:

sh log | i 207.164.206.22
sh log | i 207.164.206.23
sh log | i 207.164.206.24
0
 

Author Comment

by:nbhasin
ID: 24786358
this is what i get, by the way I don't get any output with the sh log | i 207.164.206.23, etc commands:

#sh access-list 100
Extended IP access list 100
    permit tcp any any established (1952 matches)
    permit tcp any host 207.164.206.23 eq 3393
    permit tcp any host 207.164.206.24 eq 3394
    permit tcp any any eq telnet
    permit tcp any host 207.164.206.23 range 20000 20299 (6 matches)
    permit tcp any host 207.164.206.24 range 30000 30299
    permit tcp any any eq domain
    permit udp any any eq domain
    permit tcp any host 207.164.206.23 eq 3389 (2 matches)
    deny ip any any (183 matches)
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24786522
If you re-write the ACL with the 'log' statements where needed, we can better troubleshoot the problem.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 6 hours left to enroll

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question