Solved

cisco one way nat issue

Posted on 2010-08-25
5
704 Views
Last Modified: 2012-05-10
Hello,  we just purchased a company that has an internal ip address range of 38.185.126.0/24 (I know its public, but they use it inside).  We have a 3 MB MPLS connection going to them from our core (192.168.1.0 inside network & serial interface using 172.32.254.174/30).

Hosts on their network (38.185.126.0) cannot ping a natted IP to our Citrix CSG inside (192.168.1.151) even though it is natted to 38.185.126.201

can someone please give a look at this config for me and see if I'm missing something?

Thanks,

controller T1 0/2/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
 description <<inbound T1 MPLS 1>>
!
controller T1 0/2/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
 description <<inbound T1 MPLS 2>>
!
!
class-map match-any voice-signaling
 match access-group 102
class-map match-any voice-stream
 match access-group 101
class-map match-any match-voip
 match access-group 101
!
!
policy-map MPLS
 class voice-stream
  priority percent 50
  set ip dscp af21
 class voice-signaling
  bandwidth percent 5
 class class-default
  fair-queue
policy-map mark-voip
 class match-voip
  set dscp ef
!
!
!
!
interface Loopback0
 no ip address
 shutdown
!
interface Multilink1
 bandwidth 3072000
 ip address 172.32.254.174 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 ppp multilink
 ppp multilink group 1
 service-policy output MPLS
!
interface FastEthernet0/0
 ip address 192.168.224.1 255.255.255.240 secondary
 ip address 38.185.126.99 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/2/0:0
 description <<1st T1 MPLS in from L3>>
 no ip address
 encapsulation ppp
 ip route-cache flow
 ppp multilink
 ppp multilink group 1
!
interface Serial0/2/1:0
 description <<2nd T1 MPLS in from L3>>
 no ip address
 encapsulation ppp
 ip route-cache flow
 ppp multilink
 ppp multilink group 1
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 172.32.254.173 remote-as 1
 neighbor 172.32.254.173 soft-reconfiguration inbound
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Multilink1
ip route 38.155.211.0 255.255.255.0 38.185.126.1
ip route 38.185.126.0 255.255.255.0 38.185.126.1
ip route 192.168.4.0 255.255.255.0 38.185.126.1
ip route 192.168.8.0 255.255.255.0 38.185.126.1
!
ip flow-export source Multilink1
ip flow-export version 5
!
no ip http server
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat source static 38.185.126.201 192.168.1.151
ip nat inside source list 105 interface Multilink1 overload
!
access-list 105 permit ip 38.185.126.0 0.0.0.255 any

0
Comment
Question by:Oyurttas
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
I am assuming that this router is on their side, then. Does this router have a route to 192.168.1.0, and does your network have routes where needed to 38.185.126.0? Please provide a simple drawng of the topology that shows where the networks are.
Also, the ouput of
sho ip nat translations

You can also do a debug of that nat and post the output here:
conf t
access-list 1 permit 192.168.1.151
access-list 1 permit 38.185.126.201
end
debug ip nat 1 detailed

0
 

Author Comment

by:Oyurttas
Comment Utility
Hello.  I worked with Cisco to figure it out.  If you would like the config, I'll post it.  Thank you.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Was it a change in the above NAT config? You may as well post it for posterity.
0
 

Author Comment

by:Oyurttas
Comment Utility
interface Loopback0
 no ip address
!
interface Multilink1
 bandwidth 3072000
 ip address 172.32.254.174 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ppp multilink
 ppp multilink group 1
 service-policy output MPLS
!
interface FastEthernet0/0
 ip address 38.185.126.99 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/2/0:0
 description <<1st T1 MPLS in from L3>>
 no ip address
 encapsulation ppp
 ip route-cache flow
 ppp multilink
 ppp multilink group 1
!
interface Serial0/2/1:0
 description <<2nd T1 MPLS in from L3>>
 no ip address
 encapsulation ppp
 ip route-cache flow
 ppp multilink
 ppp multilink group 1
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 redistribute static route-map IPOOL
 neighbor 172.32.254.173 remote-as 1
 neighbor 172.32.254.173 soft-reconfiguration inbound
 no auto-summary
!        
ip route 38.155.211.0 255.255.255.0 38.185.126.1
ip route 38.185.126.0 255.255.255.0 38.185.126.1
ip route 192.168.4.0 255.255.255.0 38.185.126.1
ip route 192.168.7.0 255.255.255.0 FastEthernet0/0
ip route 192.168.8.0 255.255.255.0 38.185.126.1
!
ip flow-export source Multilink1
ip flow-export version 5
!
no ip http server
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat pool IPOOL 192.168.7.2 192.168.7.254 netmask 255.255.255.0
ip nat outside source list 102 pool IPOOL
!
!
ip prefix-list IPOOL seq 5 permit 192.168.7.0/24
access-list 102 permit ip 38.185.126.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 38.155.211.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 38.185.126.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 38.155.211.0 0.0.0.255
access-list 105 permit ip 38.185.126.0 0.0.0.255 any
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
Comment Utility
Well, basically you changed everything around including routing...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Growing Pains 4 64
Ping Sniffer 14 47
In what cases will server send empty session id during TLS handshake 3 63
ftp using powershell 11 38
Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now