dkrussian
asked on
NAT question
Ok, mediawiki setup on wamp server with the most basic setup and no bells and whistles (default port 80 an all that as far as I can tell)
Now, I need NAT to get to the thing from outside
This works:
ip nat inside source 172.17.101.4 83.*.*.*
This does not:
ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80
ip nat inside source udp 172.17.101.4 80 83.*.*.* 80
Why? I'd really rather not have 100% of traffic being spammed at the router be redirected to my server, but I can't seem to get it to work on that one port alone. Does wamp+mediawiki actally need some other ports open? Is there a way to check why this is happening?
Now, I need NAT to get to the thing from outside
This works:
ip nat inside source 172.17.101.4 83.*.*.*
This does not:
ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80
ip nat inside source udp 172.17.101.4 80 83.*.*.* 80
Why? I'd really rather not have 100% of traffic being spammed at the router be redirected to my server, but I can't seem to get it to work on that one port alone. Does wamp+mediawiki actally need some other ports open? Is there a way to check why this is happening?
Do you have any access lists applied? Unless you've permitted the traffic, an access list will block the connections even if a NAT rule is present.
ASKER
Between this question and my other one, it's fast becoming clear I don't understand cisco NAT and access-lists. If it's an access-list problem, then why the hell did this work?
also
interface BVI10
description ========================== LAN interface ========================== =
ip address 172.17.101.1 255.255.255.128
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
no ip mroute-cache
load-interval 30
hold-queue 4096 in
if there's no access group that means there's no access list applied right? or do access lists also somehow get applied globally?
clear ip nat trans didn't help. The nat rules aren't even coming into play. Once again when this version was applied
ip nat inside source 172.17.101.4 83.*.*.*,
I had to actually go through a chain of
no ip nat outside,
no ip nat inside,
clear ip nat trans forced,
just for it to allow me to issue
no ip nat inside source 172.17.101.4 83.*.*.*
because it said it was in use otherwise.
also
interface BVI10
description ==========================
ip address 172.17.101.1 255.255.255.128
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
no ip mroute-cache
load-interval 30
hold-queue 4096 in
if there's no access group that means there's no access list applied right? or do access lists also somehow get applied globally?
clear ip nat trans didn't help. The nat rules aren't even coming into play. Once again when this version was applied
ip nat inside source 172.17.101.4 83.*.*.*,
I had to actually go through a chain of
no ip nat outside,
no ip nat inside,
clear ip nat trans forced,
just for it to allow me to issue
no ip nat inside source 172.17.101.4 83.*.*.*
because it said it was in use otherwise.
ASKER
meant to add ip nat inside source 172.17.101.4 83.*.*.* after the question of why does this work.
For a bit of extra information
ip nat inside source 172.17.101.4 83.*.*.*
breaks my ip phone of all things (vpn to a callmanager at work) while allowing all other services and pcs to work as normal. I have no idea why that might be either, and that's the real reason I can't abide just sticking with
ip nat inside source 172.17.101.4 83.*.*.*
and need something a little bit more selective.
For a bit of extra information
ip nat inside source 172.17.101.4 83.*.*.*
breaks my ip phone of all things (vpn to a callmanager at work) while allowing all other services and pcs to work as normal. I have no idea why that might be either, and that's the real reason I can't abide just sticking with
ip nat inside source 172.17.101.4 83.*.*.*
and need something a little bit more selective.
Please show the whole config...
Sometimes you have to run clear ip nat trans * immediately before removing the NAT statement.
If you use the ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80 command and you run "show ip nat translation" does the NAT translation show up?
If you use the ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80 command and you run "show ip nat translation" does the NAT translation show up?
Also, what version of IOS are you running?
ASKER
Current configuration : 9353 bytes
!
! Last configuration change at 08:02:50 MSK Wed Mar 9 2011 by admin
!
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname -
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging console
enable secret 5 -
!
aaa new-model
!
!
aaa authentication banner ^CAccess restricted!!!^C
aaa authentication fail-message ^CYour attempt of authentication has been registered!!!^C
aaa authentication username-prompt "Login: "
aaa authentication login default local-case
aaa authentication enable default enable
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
!
dot11 ssid _
vlan 254
authentication open
authentication key-management wpa
!
dot11 -
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii -
!
dot11 arp-cache
dot11 phone dot11e
ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use class
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 172.17.101.1
ip dhcp ping packets 3
ip dhcp ping timeout 100
!
ip dhcp pool Kuzmin_Users
network 172.17.101.0 255.255.255.128
default-router 172.17.101.1
dns-server 172.17.147.101 83.137.48.4
domain-name -
option 150 ip 172.17.147.97
lease 0 0 5
!
!
ip cef
ip domain lookup source-interface BVI10
ip domain name -
ip name-server 172.17.32.202
ip name-server 172.17.32.203
ip inspect L2-transparent dhcp-passthrough
ip inspect tcp block-non-session
ip inspect name FW icmp
ip inspect name FW udp
ip inspect name FW tcp
ip inspect name FW daytime
ip inspect name FW ddns-v3
ip inspect name FW dns
ip inspect name FW esmtp
ip inspect name FW pop3
ip inspect name FW pop3s
ip inspect name FW imap
ip inspect name FW imap3
ip inspect name FW imaps
ip inspect name FW http
ip inspect name FW https
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW ftp
ip inspect name FW ftps
ip inspect name FW pptp
ip inspect name FW ssh
ip inspect name FW telnet
ip inspect name FW tftp
ip inspect name FW time
ip inspect name FW timed
no ip igmp snooping
!
no ipv6 cef
multilink bundle-name authenticated
!
password encryption aes
!
!
file verify auto
!
no spanning-tree vlan 1
no spanning-tree vlan 2
no spanning-tree vlan 101
no spanning-tree vlan 1002
no spanning-tree vlan 1003
no spanning-tree vlan 1004
no spanning-tree vlan 1005
vtp mode transparent
username admin privilege 0 user-maxlinks 1 secret 5 $1$e1N2$kS7tb4Id.IBgNoxF3t izW/
!
crypto keyring 4_Static_IPSec_clients
description ============== Preshared key 4 leased IPSec's tunnel ==============
pre-shared-key address -
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto isakmp profile Static_IPSec_profiles
description ==================== 4 Static IPSec's tunnel =====================
keyring 4_Static_IPSec_clients
match identity address - 255.255.255.255
!
crypto ipsec security-association idle-time 120
!
crypto ipsec transform-set 2_ISB_Dev esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile VPN_IPSec_2_ISB_Dev_office
set transform-set 2_ISB_Dev
set pfs group5
set isakmp-profile Static_IPSec_profiles
!
!
archive
log config
hidekeys
path flash:/config
maximum 14
write-memory
time-period 86400
!
!
vlan 10
name Kuzmin_Users
!
!
bridge irb
!
!
interface Tunnel0
description ========================== Crypto tunnel ========================== =
ip address 172.17.1.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1427
ip flow ingress
ip route-cache same-interface
ip route-cache policy
no ip mroute-cache
load-interval 30
tunnel source 83.*.*.*
tunnel destination 195.*.*.*
tunnel mode ipsec ipv4
tunnel key -
tunnel checksum
tunnel protection ipsec profile VPN_IPSec_2_ISB_Dev_office
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet0
switchport access vlan 10
load-interval 30
no cdp enable
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet1
switchport access vlan 10
load-interval 30
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet2
switchport access vlan 10
load-interval 30
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet3
switchport access vlan 10
load-interval 30
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet4
ip address 83.*.*.* 255.255.255.252
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
hold-queue 4096 in
hold-queue 4096 out
!
interface Dot11Radio0
no ip address
dot11 qos class background
cw-min 5
cw-max 8
fixed-slot 3
!
dot11 qos class best-effort
cw-min 5
cw-max 8
fixed-slot 2
!
dot11 qos class video
cw-min 4
cw-max 6
fixed-slot 2
!
dot11 qos class voice
cw-min 3
cw-max 7
fixed-slot 2
!
!
encryption vlan 254 mode ciphers aes-ccm tkip
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
ssid _
!
ssid |||____Kuzmin_HOME_Wi-Fi__ __|||
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local ofdm 17
power client 17
packet retries 32
station-role root
rts retries 128
antenna gain -128
world-mode dot11d country RU both
l2-filter bridge-group-acl
infrastructure-client
no cdp enable
max-reserved-bandwidth 100
hold-queue 4096 in
hold-queue 4096 out
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.254
encapsulation dot1Q 254
no cdp enable
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
!
interface Vlan1
description ================= Default VLAN: only shutdown !!! ==================
no ip address
shutdown
hold-queue 4096 in
hold-queue 4096 out
!
interface Vlan10
description ====================== Wi-Fi bridge interface ======================
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip route-cache policy
no ip mroute-cache
load-interval 30
l2-filter bridge-group-acl
bridge-group 10
bridge-group 10 spanning-disabled
hold-queue 4096 in
hold-queue 4096 out
!
interface BVI10
description ========================== LAN interface ========================== =
ip address 172.17.101.1 255.255.255.128
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
no ip mroute-cache
load-interval 30
hold-queue 4096 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.137.51.169
ip route 172.17.147.96 255.255.255.224 172.17.1.1
ip route 172.17.247.96 255.255.255.224 172.17.1.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 172.17.101.4 80 83.*.*.* 80 extendable
ip nat inside source static udp 172.17.101.4 80 83.*.*.* 80 extendable
!
access-list 5 remark =============== VTY access && Backup config ================
access-list 5 permit 172.17.101.0 0.0.0.127
access-list 5 permit 172.17.5.0 0.0.0.255
access-list 5 permit 82.142.147.248 0.0.0.3
access-list 5 permit 213.247.244.248 0.0.0.3
access-list 5 remark ========================== ========== ========== ========== ====
access-list 110 remark ========================== NAT ========================== =
access-list 110 permit ip 172.17.101.0 0.0.0.127 any
access-list 110 remark ========================== ========== ========== ========== ==
access-list 110 permit tcp any any eq 28960
access-list 110 permit udp any any eq 28960
access-list 110 permit tcp any any eq www
access-list 110 permit udp any any eq 80
!
!
!
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
!
line con 0
exec-timeout 60 0
timeout login response 60
no modem enable
transport preferred none
transport output telnet ssh
stopbits 1
line aux 0
exec-timeout 60 0
timeout login response 60
transport preferred none
transport output none
stopbits 1
line vty 0 4
access-class 5 in
exec-timeout 60 0
timeout login response 60
transport preferred ssh
transport input ssh
transport output telnet ssh
!
no scheduler max-task-time
ntp server 62.117.76.142
ntp server 195.220.94.163
end
!
! Last configuration change at 08:02:50 MSK Wed Mar 9 2011 by admin
!
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname -
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging console
enable secret 5 -
!
aaa new-model
!
!
aaa authentication banner ^CAccess restricted!!!^C
aaa authentication fail-message ^CYour attempt of authentication has been registered!!!^C
aaa authentication username-prompt "Login: "
aaa authentication login default local-case
aaa authentication enable default enable
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
!
dot11 ssid _
vlan 254
authentication open
authentication key-management wpa
!
dot11 -
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii -
!
dot11 arp-cache
dot11 phone dot11e
ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use class
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 172.17.101.1
ip dhcp ping packets 3
ip dhcp ping timeout 100
!
ip dhcp pool Kuzmin_Users
network 172.17.101.0 255.255.255.128
default-router 172.17.101.1
dns-server 172.17.147.101 83.137.48.4
domain-name -
option 150 ip 172.17.147.97
lease 0 0 5
!
!
ip cef
ip domain lookup source-interface BVI10
ip domain name -
ip name-server 172.17.32.202
ip name-server 172.17.32.203
ip inspect L2-transparent dhcp-passthrough
ip inspect tcp block-non-session
ip inspect name FW icmp
ip inspect name FW udp
ip inspect name FW tcp
ip inspect name FW daytime
ip inspect name FW ddns-v3
ip inspect name FW dns
ip inspect name FW esmtp
ip inspect name FW pop3
ip inspect name FW pop3s
ip inspect name FW imap
ip inspect name FW imap3
ip inspect name FW imaps
ip inspect name FW http
ip inspect name FW https
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW ftp
ip inspect name FW ftps
ip inspect name FW pptp
ip inspect name FW ssh
ip inspect name FW telnet
ip inspect name FW tftp
ip inspect name FW time
ip inspect name FW timed
no ip igmp snooping
!
no ipv6 cef
multilink bundle-name authenticated
!
password encryption aes
!
!
file verify auto
!
no spanning-tree vlan 1
no spanning-tree vlan 2
no spanning-tree vlan 101
no spanning-tree vlan 1002
no spanning-tree vlan 1003
no spanning-tree vlan 1004
no spanning-tree vlan 1005
vtp mode transparent
username admin privilege 0 user-maxlinks 1 secret 5 $1$e1N2$kS7tb4Id.IBgNoxF3t
!
crypto keyring 4_Static_IPSec_clients
description ============== Preshared key 4 leased IPSec's tunnel ==============
pre-shared-key address -
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto isakmp profile Static_IPSec_profiles
description ==================== 4 Static IPSec's tunnel =====================
keyring 4_Static_IPSec_clients
match identity address - 255.255.255.255
!
crypto ipsec security-association idle-time 120
!
crypto ipsec transform-set 2_ISB_Dev esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile VPN_IPSec_2_ISB_Dev_office
set transform-set 2_ISB_Dev
set pfs group5
set isakmp-profile Static_IPSec_profiles
!
!
archive
log config
hidekeys
path flash:/config
maximum 14
write-memory
time-period 86400
!
!
vlan 10
name Kuzmin_Users
!
!
bridge irb
!
!
interface Tunnel0
description ==========================
ip address 172.17.1.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1427
ip flow ingress
ip route-cache same-interface
ip route-cache policy
no ip mroute-cache
load-interval 30
tunnel source 83.*.*.*
tunnel destination 195.*.*.*
tunnel mode ipsec ipv4
tunnel key -
tunnel checksum
tunnel protection ipsec profile VPN_IPSec_2_ISB_Dev_office
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet0
switchport access vlan 10
load-interval 30
no cdp enable
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet1
switchport access vlan 10
load-interval 30
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet2
switchport access vlan 10
load-interval 30
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet3
switchport access vlan 10
load-interval 30
spanning-tree portfast
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet4
ip address 83.*.*.* 255.255.255.252
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
hold-queue 4096 in
hold-queue 4096 out
!
interface Dot11Radio0
no ip address
dot11 qos class background
cw-min 5
cw-max 8
fixed-slot 3
!
dot11 qos class best-effort
cw-min 5
cw-max 8
fixed-slot 2
!
dot11 qos class video
cw-min 4
cw-max 6
fixed-slot 2
!
dot11 qos class voice
cw-min 3
cw-max 7
fixed-slot 2
!
!
encryption vlan 254 mode ciphers aes-ccm tkip
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
ssid _
!
ssid |||____Kuzmin_HOME_Wi-Fi__
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local ofdm 17
power client 17
packet retries 32
station-role root
rts retries 128
antenna gain -128
world-mode dot11d country RU both
l2-filter bridge-group-acl
infrastructure-client
no cdp enable
max-reserved-bandwidth 100
hold-queue 4096 in
hold-queue 4096 out
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.254
encapsulation dot1Q 254
no cdp enable
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
!
interface Vlan1
description ================= Default VLAN: only shutdown !!! ==================
no ip address
shutdown
hold-queue 4096 in
hold-queue 4096 out
!
interface Vlan10
description ====================== Wi-Fi bridge interface ======================
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip route-cache policy
no ip mroute-cache
load-interval 30
l2-filter bridge-group-acl
bridge-group 10
bridge-group 10 spanning-disabled
hold-queue 4096 in
hold-queue 4096 out
!
interface BVI10
description ==========================
ip address 172.17.101.1 255.255.255.128
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
no ip mroute-cache
load-interval 30
hold-queue 4096 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.137.51.169
ip route 172.17.147.96 255.255.255.224 172.17.1.1
ip route 172.17.247.96 255.255.255.224 172.17.1.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 172.17.101.4 80 83.*.*.* 80 extendable
ip nat inside source static udp 172.17.101.4 80 83.*.*.* 80 extendable
!
access-list 5 remark =============== VTY access && Backup config ================
access-list 5 permit 172.17.101.0 0.0.0.127
access-list 5 permit 172.17.5.0 0.0.0.255
access-list 5 permit 82.142.147.248 0.0.0.3
access-list 5 permit 213.247.244.248 0.0.0.3
access-list 5 remark ==========================
access-list 110 remark ==========================
access-list 110 permit ip 172.17.101.0 0.0.0.127 any
access-list 110 remark ==========================
access-list 110 permit tcp any any eq 28960
access-list 110 permit udp any any eq 28960
access-list 110 permit tcp any any eq www
access-list 110 permit udp any any eq 80
!
!
!
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
!
line con 0
exec-timeout 60 0
timeout login response 60
no modem enable
transport preferred none
transport output telnet ssh
stopbits 1
line aux 0
exec-timeout 60 0
timeout login response 60
transport preferred none
transport output none
stopbits 1
line vty 0 4
access-class 5 in
exec-timeout 60 0
timeout login response 60
transport preferred ssh
transport input ssh
transport output telnet ssh
!
no scheduler max-task-time
ntp server 62.117.76.142
ntp server 195.220.94.163
end
Hi,
the config seems to be good....
I advise to 'write' the config and 'reload' the router!
Best regards,
Istvan
the config seems to be good....
I advise to 'write' the config and 'reload' the router!
Best regards,
Istvan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This works, but still no idea why, if someone could explain it I'm sure it would save a lot of headaches in the future.
In this case it isn't working...
p.s.: after that you changing something with the NAT you need : 'clear ip nat trans *'
Best regards,
Istvan