• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 764
  • Last Modified:

NAT question

Ok, mediawiki setup on wamp server with the most basic setup and no bells and whistles (default port 80 an all that as far as I can tell)

Now, I need NAT to get to the thing from outside

This works:
ip nat inside source 172.17.101.4 83.*.*.*

This does not:
ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80
ip nat inside source udp 172.17.101.4 80 83.*.*.* 80

Why? I'd really rather not have 100% of traffic being spammed at the router be redirected to my server, but I can't seem to get it to work on that one port alone. Does wamp+mediawiki actally need some other ports open? Is there a way to check why this is happening?
0
dkrussian
Asked:
dkrussian
  • 5
  • 3
  • 3
1 Solution
 
Istvan KalmarCommented:
Do you use same public address for NAT?
In this case it isn't working...

p.s.: after that you changing something with the NAT you need : 'clear ip nat trans *'

Best regards,
Istvan
0
 
asavenerCommented:
Do you have any access lists applied?  Unless you've permitted the traffic, an access list will block the connections even if a NAT rule is present.
0
 
dkrussianAuthor Commented:
Between this question and my other one, it's fast becoming clear I don't understand cisco NAT and access-lists. If it's an access-list problem, then why the hell did this work?

 

also

interface BVI10
 description ========================== LAN interface ===========================
 ip address 172.17.101.1 255.255.255.128
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 hold-queue 4096 in

if there's no access group that means there's no access list applied right? or do access lists also somehow get applied globally?

clear ip nat trans didn't help. The nat rules aren't even coming into play. Once again when this version was applied
ip nat inside source 172.17.101.4 83.*.*.*,
 I had to actually go through a chain of
no ip nat outside,
no ip nat inside,
clear ip nat trans forced,
just for it to allow me to issue
no ip nat inside source 172.17.101.4 83.*.*.*

because it said it was in use otherwise.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
dkrussianAuthor Commented:
meant to add ip nat inside source 172.17.101.4 83.*.*.* after the question of why does this work.
For a bit of extra information
ip nat inside source 172.17.101.4 83.*.*.*
breaks my ip phone of all things (vpn to a callmanager at work) while allowing all other services and pcs to work as normal. I have no idea why that might be either, and that's the real reason I can't abide just sticking with
 ip nat inside source 172.17.101.4 83.*.*.*
and need something a little bit more selective.
0
 
Istvan KalmarCommented:
Please show the whole config...
0
 
asavenerCommented:
Sometimes you have to run clear ip nat trans * immediately before removing the NAT statement.

If you use the ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80 command and you run "show ip nat translation" does the NAT translation show up?
0
 
asavenerCommented:
Also, what version of IOS are you running?
0
 
dkrussianAuthor Commented:
Current configuration : 9353 bytes
!
! Last configuration change at 08:02:50 MSK Wed Mar 9 2011 by admin
!
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname -
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging console
enable secret 5 -
!
aaa new-model
!
!
aaa authentication banner ^CAccess restricted!!!^C
aaa authentication fail-message ^CYour attempt of authentication has been registered!!!^C
aaa authentication username-prompt "Login: "
aaa authentication login default local-case
aaa authentication enable default enable
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
!
dot11 ssid _
   vlan 254
   authentication open
   authentication key-management wpa
!
dot11 -
   vlan 10
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii -
!
dot11 arp-cache
dot11 phone dot11e
ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use class
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 172.17.101.1
ip dhcp ping packets 3
ip dhcp ping timeout 100
!
ip dhcp pool Kuzmin_Users
   network 172.17.101.0 255.255.255.128
   default-router 172.17.101.1
   dns-server 172.17.147.101 83.137.48.4
   domain-name -
   option 150 ip 172.17.147.97
   lease 0 0 5
!
!
ip cef
ip domain lookup source-interface BVI10
ip domain name -
ip name-server 172.17.32.202
ip name-server 172.17.32.203
ip inspect L2-transparent dhcp-passthrough
ip inspect tcp block-non-session
ip inspect name FW icmp
ip inspect name FW udp
ip inspect name FW tcp
ip inspect name FW daytime
ip inspect name FW ddns-v3
ip inspect name FW dns
ip inspect name FW esmtp
ip inspect name FW pop3
ip inspect name FW pop3s
ip inspect name FW imap
ip inspect name FW imap3
ip inspect name FW imaps
ip inspect name FW http
ip inspect name FW https
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW ftp
ip inspect name FW ftps
ip inspect name FW pptp
ip inspect name FW ssh
ip inspect name FW telnet
ip inspect name FW tftp
ip inspect name FW time
ip inspect name FW timed
no ip igmp snooping
!
no ipv6 cef
multilink bundle-name authenticated
!
password encryption aes
!
!
file verify auto
!
no spanning-tree vlan 1
no spanning-tree vlan 2
no spanning-tree vlan 101
no spanning-tree vlan 1002
no spanning-tree vlan 1003
no spanning-tree vlan 1004
no spanning-tree vlan 1005
vtp mode transparent
username admin privilege 0 user-maxlinks 1 secret 5 $1$e1N2$kS7tb4Id.IBgNoxF3tizW/
!
crypto keyring 4_Static_IPSec_clients
  description ============== Preshared key 4 leased IPSec's tunnel ==============
  pre-shared-key address -
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto isakmp profile Static_IPSec_profiles
   description ==================== 4 Static IPSec's tunnel =====================
   keyring 4_Static_IPSec_clients
   match identity address - 255.255.255.255
!
crypto ipsec security-association idle-time 120
!
crypto ipsec transform-set 2_ISB_Dev esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile VPN_IPSec_2_ISB_Dev_office
 set transform-set 2_ISB_Dev
 set pfs group5
 set isakmp-profile Static_IPSec_profiles
!
!
archive
 log config
  hidekeys
 path flash:/config
 maximum 14
 write-memory
 time-period 86400
!
!
vlan 10
 name Kuzmin_Users
!
!
bridge irb
!
!
interface Tunnel0
 description ========================== Crypto tunnel ===========================
 ip address 172.17.1.2 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1427
 ip flow ingress
 ip route-cache same-interface
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 tunnel source 83.*.*.*
 tunnel destination 195.*.*.*
 tunnel mode ipsec ipv4
 tunnel key -
 tunnel checksum
 tunnel protection ipsec profile VPN_IPSec_2_ISB_Dev_office
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet0
 switchport access vlan 10
 load-interval 30
 no cdp enable
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet1
 switchport access vlan 10
 load-interval 30
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet2
 switchport access vlan 10
 load-interval 30
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet3
 switchport access vlan 10
 load-interval 30
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet4
 ip address 83.*.*.* 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 hold-queue 4096 in
 hold-queue 4096 out
!
interface Dot11Radio0
 no ip address
 dot11 qos class background
    cw-min 5
    cw-max 8
    fixed-slot 3
 !
 dot11 qos class best-effort
    cw-min 5
    cw-max 8
    fixed-slot 2
 !
 dot11 qos class video
    cw-min 4
    cw-max 6
    fixed-slot 2
 !
 dot11 qos class voice
    cw-min 3
    cw-max 7
    fixed-slot 2
 !
 !
 encryption vlan 254 mode ciphers aes-ccm tkip
 !
 encryption vlan 10 mode ciphers aes-ccm tkip
 !
 ssid _
 !
 ssid |||____Kuzmin_HOME_Wi-Fi____|||
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 power local ofdm 17
 power client 17
 packet retries 32
 station-role root
 rts retries 128
 antenna gain -128
 world-mode dot11d country RU both
 l2-filter bridge-group-acl
 infrastructure-client
 no cdp enable
 max-reserved-bandwidth 100
 hold-queue 4096 in
 hold-queue 4096 out
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no cdp enable
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.254
 encapsulation dot1Q 254
 no cdp enable
 bridge-group 254
 bridge-group 254 subscriber-loop-control
 bridge-group 254 spanning-disabled
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
!
interface Vlan1
 description ================= Default VLAN: only shutdown !!! ==================
 no ip address
 shutdown
 hold-queue 4096 in
 hold-queue 4096 out
!
interface Vlan10
 description ====================== Wi-Fi bridge interface ======================
 no ip address
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 l2-filter bridge-group-acl
 bridge-group 10
 bridge-group 10 spanning-disabled
 hold-queue 4096 in
 hold-queue 4096 out
!
interface BVI10
 description ========================== LAN interface ===========================
 ip address 172.17.101.1 255.255.255.128
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 hold-queue 4096 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.137.51.169
ip route 172.17.147.96 255.255.255.224 172.17.1.1
ip route 172.17.247.96 255.255.255.224 172.17.1.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 172.17.101.4 80 83.*.*.* 80 extendable
ip nat inside source static udp 172.17.101.4 80 83.*.*.* 80 extendable
!
access-list 5 remark =============== VTY access && Backup config ================
access-list 5 permit 172.17.101.0 0.0.0.127
access-list 5 permit 172.17.5.0 0.0.0.255
access-list 5 permit 82.142.147.248 0.0.0.3
access-list 5 permit 213.247.244.248 0.0.0.3
access-list 5 remark ============================================================
access-list 110 remark ========================== NAT ===========================
access-list 110 permit ip 172.17.101.0 0.0.0.127 any
access-list 110 remark ==========================================================
access-list 110 permit tcp any any eq 28960
access-list 110 permit udp any any eq 28960
access-list 110 permit tcp any any eq www
access-list 110 permit udp any any eq 80
!
!
!
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
!
line con 0
 exec-timeout 60 0
 timeout login response 60
 no modem enable
 transport preferred none
 transport output telnet ssh
 stopbits 1
line aux 0
 exec-timeout 60 0
 timeout login response 60
 transport preferred none
 transport output none
 stopbits 1
line vty 0 4
 access-class 5 in
 exec-timeout 60 0
 timeout login response 60
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
!
no scheduler max-task-time
ntp server 62.117.76.142
ntp server 195.220.94.163
end
0
 
Istvan KalmarCommented:
Hi,
the config seems to be good....

I advise to 'write' the config and 'reload' the router!

Best regards,
Istvan
0
 
dkrussianAuthor Commented:
ip nat inside source static tcp 172.17.101.4 80 interface Fastethernet4 80

Is what finally worked for me. NO idea why this works and the external ip address does not. Maybe there's more than one address, or maybe something to do with when and how it does the translations, but for anyone else that ever runs into a similar problem, switching to the interface instead of the outside address does the trick.
0
 
dkrussianAuthor Commented:
This works, but still no idea why, if someone could explain it I'm sure it would save a lot of headaches in the future.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now