Solved

NAT question

Posted on 2011-03-06
11
747 Views
Last Modified: 2012-05-11
Ok, mediawiki setup on wamp server with the most basic setup and no bells and whistles (default port 80 an all that as far as I can tell)

Now, I need NAT to get to the thing from outside

This works:
ip nat inside source 172.17.101.4 83.*.*.*

This does not:
ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80
ip nat inside source udp 172.17.101.4 80 83.*.*.* 80

Why? I'd really rather not have 100% of traffic being spammed at the router be redirected to my server, but I can't seem to get it to work on that one port alone. Does wamp+mediawiki actally need some other ports open? Is there a way to check why this is happening?
0
Comment
Question by:dkrussian
  • 5
  • 3
  • 3
11 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Do you use same public address for NAT?
In this case it isn't working...

p.s.: after that you changing something with the NAT you need : 'clear ip nat trans *'

Best regards,
Istvan
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Do you have any access lists applied?  Unless you've permitted the traffic, an access list will block the connections even if a NAT rule is present.
0
 

Author Comment

by:dkrussian
Comment Utility
Between this question and my other one, it's fast becoming clear I don't understand cisco NAT and access-lists. If it's an access-list problem, then why the hell did this work?

 

also

interface BVI10
 description ========================== LAN interface ===========================
 ip address 172.17.101.1 255.255.255.128
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 hold-queue 4096 in

if there's no access group that means there's no access list applied right? or do access lists also somehow get applied globally?

clear ip nat trans didn't help. The nat rules aren't even coming into play. Once again when this version was applied
ip nat inside source 172.17.101.4 83.*.*.*,
 I had to actually go through a chain of
no ip nat outside,
no ip nat inside,
clear ip nat trans forced,
just for it to allow me to issue
no ip nat inside source 172.17.101.4 83.*.*.*

because it said it was in use otherwise.
0
 

Author Comment

by:dkrussian
Comment Utility
meant to add ip nat inside source 172.17.101.4 83.*.*.* after the question of why does this work.
For a bit of extra information
ip nat inside source 172.17.101.4 83.*.*.*
breaks my ip phone of all things (vpn to a callmanager at work) while allowing all other services and pcs to work as normal. I have no idea why that might be either, and that's the real reason I can't abide just sticking with
 ip nat inside source 172.17.101.4 83.*.*.*
and need something a little bit more selective.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Please show the whole config...
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 28

Expert Comment

by:asavener
Comment Utility
Sometimes you have to run clear ip nat trans * immediately before removing the NAT statement.

If you use the ip nat inside source tcp 172.17.101.4 80 83.*.*.* 80 command and you run "show ip nat translation" does the NAT translation show up?
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Also, what version of IOS are you running?
0
 

Author Comment

by:dkrussian
Comment Utility
Current configuration : 9353 bytes
!
! Last configuration change at 08:02:50 MSK Wed Mar 9 2011 by admin
!
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname -
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging console
enable secret 5 -
!
aaa new-model
!
!
aaa authentication banner ^CAccess restricted!!!^C
aaa authentication fail-message ^CYour attempt of authentication has been registered!!!^C
aaa authentication username-prompt "Login: "
aaa authentication login default local-case
aaa authentication enable default enable
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
!
dot11 ssid _
   vlan 254
   authentication open
   authentication key-management wpa
!
dot11 -
   vlan 10
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii -
!
dot11 arp-cache
dot11 phone dot11e
ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use class
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 172.17.101.1
ip dhcp ping packets 3
ip dhcp ping timeout 100
!
ip dhcp pool Kuzmin_Users
   network 172.17.101.0 255.255.255.128
   default-router 172.17.101.1
   dns-server 172.17.147.101 83.137.48.4
   domain-name -
   option 150 ip 172.17.147.97
   lease 0 0 5
!
!
ip cef
ip domain lookup source-interface BVI10
ip domain name -
ip name-server 172.17.32.202
ip name-server 172.17.32.203
ip inspect L2-transparent dhcp-passthrough
ip inspect tcp block-non-session
ip inspect name FW icmp
ip inspect name FW udp
ip inspect name FW tcp
ip inspect name FW daytime
ip inspect name FW ddns-v3
ip inspect name FW dns
ip inspect name FW esmtp
ip inspect name FW pop3
ip inspect name FW pop3s
ip inspect name FW imap
ip inspect name FW imap3
ip inspect name FW imaps
ip inspect name FW http
ip inspect name FW https
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW ftp
ip inspect name FW ftps
ip inspect name FW pptp
ip inspect name FW ssh
ip inspect name FW telnet
ip inspect name FW tftp
ip inspect name FW time
ip inspect name FW timed
no ip igmp snooping
!
no ipv6 cef
multilink bundle-name authenticated
!
password encryption aes
!
!
file verify auto
!
no spanning-tree vlan 1
no spanning-tree vlan 2
no spanning-tree vlan 101
no spanning-tree vlan 1002
no spanning-tree vlan 1003
no spanning-tree vlan 1004
no spanning-tree vlan 1005
vtp mode transparent
username admin privilege 0 user-maxlinks 1 secret 5 $1$e1N2$kS7tb4Id.IBgNoxF3tizW/
!
crypto keyring 4_Static_IPSec_clients
  description ============== Preshared key 4 leased IPSec's tunnel ==============
  pre-shared-key address -
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto isakmp profile Static_IPSec_profiles
   description ==================== 4 Static IPSec's tunnel =====================
   keyring 4_Static_IPSec_clients
   match identity address - 255.255.255.255
!
crypto ipsec security-association idle-time 120
!
crypto ipsec transform-set 2_ISB_Dev esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile VPN_IPSec_2_ISB_Dev_office
 set transform-set 2_ISB_Dev
 set pfs group5
 set isakmp-profile Static_IPSec_profiles
!
!
archive
 log config
  hidekeys
 path flash:/config
 maximum 14
 write-memory
 time-period 86400
!
!
vlan 10
 name Kuzmin_Users
!
!
bridge irb
!
!
interface Tunnel0
 description ========================== Crypto tunnel ===========================
 ip address 172.17.1.2 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1427
 ip flow ingress
 ip route-cache same-interface
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 tunnel source 83.*.*.*
 tunnel destination 195.*.*.*
 tunnel mode ipsec ipv4
 tunnel key -
 tunnel checksum
 tunnel protection ipsec profile VPN_IPSec_2_ISB_Dev_office
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet0
 switchport access vlan 10
 load-interval 30
 no cdp enable
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet1
 switchport access vlan 10
 load-interval 30
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet2
 switchport access vlan 10
 load-interval 30
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet3
 switchport access vlan 10
 load-interval 30
 spanning-tree portfast
 hold-queue 4096 in
 hold-queue 4096 out
!
interface FastEthernet4
 ip address 83.*.*.* 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 hold-queue 4096 in
 hold-queue 4096 out
!
interface Dot11Radio0
 no ip address
 dot11 qos class background
    cw-min 5
    cw-max 8
    fixed-slot 3
 !
 dot11 qos class best-effort
    cw-min 5
    cw-max 8
    fixed-slot 2
 !
 dot11 qos class video
    cw-min 4
    cw-max 6
    fixed-slot 2
 !
 dot11 qos class voice
    cw-min 3
    cw-max 7
    fixed-slot 2
 !
 !
 encryption vlan 254 mode ciphers aes-ccm tkip
 !
 encryption vlan 10 mode ciphers aes-ccm tkip
 !
 ssid _
 !
 ssid |||____Kuzmin_HOME_Wi-Fi____|||
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 power local ofdm 17
 power client 17
 packet retries 32
 station-role root
 rts retries 128
 antenna gain -128
 world-mode dot11d country RU both
 l2-filter bridge-group-acl
 infrastructure-client
 no cdp enable
 max-reserved-bandwidth 100
 hold-queue 4096 in
 hold-queue 4096 out
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no cdp enable
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.254
 encapsulation dot1Q 254
 no cdp enable
 bridge-group 254
 bridge-group 254 subscriber-loop-control
 bridge-group 254 spanning-disabled
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
!
interface Vlan1
 description ================= Default VLAN: only shutdown !!! ==================
 no ip address
 shutdown
 hold-queue 4096 in
 hold-queue 4096 out
!
interface Vlan10
 description ====================== Wi-Fi bridge interface ======================
 no ip address
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 l2-filter bridge-group-acl
 bridge-group 10
 bridge-group 10 spanning-disabled
 hold-queue 4096 in
 hold-queue 4096 out
!
interface BVI10
 description ========================== LAN interface ===========================
 ip address 172.17.101.1 255.255.255.128
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 no ip mroute-cache
 load-interval 30
 hold-queue 4096 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.137.51.169
ip route 172.17.147.96 255.255.255.224 172.17.1.1
ip route 172.17.247.96 255.255.255.224 172.17.1.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 172.17.101.4 80 83.*.*.* 80 extendable
ip nat inside source static udp 172.17.101.4 80 83.*.*.* 80 extendable
!
access-list 5 remark =============== VTY access && Backup config ================
access-list 5 permit 172.17.101.0 0.0.0.127
access-list 5 permit 172.17.5.0 0.0.0.255
access-list 5 permit 82.142.147.248 0.0.0.3
access-list 5 permit 213.247.244.248 0.0.0.3
access-list 5 remark ============================================================
access-list 110 remark ========================== NAT ===========================
access-list 110 permit ip 172.17.101.0 0.0.0.127 any
access-list 110 remark ==========================================================
access-list 110 permit tcp any any eq 28960
access-list 110 permit udp any any eq 28960
access-list 110 permit tcp any any eq www
access-list 110 permit udp any any eq 80
!
!
!
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
!
line con 0
 exec-timeout 60 0
 timeout login response 60
 no modem enable
 transport preferred none
 transport output telnet ssh
 stopbits 1
line aux 0
 exec-timeout 60 0
 timeout login response 60
 transport preferred none
 transport output none
 stopbits 1
line vty 0 4
 access-class 5 in
 exec-timeout 60 0
 timeout login response 60
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
!
no scheduler max-task-time
ntp server 62.117.76.142
ntp server 195.220.94.163
end
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,
the config seems to be good....

I advise to 'write' the config and 'reload' the router!

Best regards,
Istvan
0
 

Accepted Solution

by:
dkrussian earned 0 total points
Comment Utility
ip nat inside source static tcp 172.17.101.4 80 interface Fastethernet4 80

Is what finally worked for me. NO idea why this works and the external ip address does not. Maybe there's more than one address, or maybe something to do with when and how it does the translations, but for anyone else that ever runs into a similar problem, switching to the interface instead of the outside address does the trick.
0
 

Author Closing Comment

by:dkrussian
Comment Utility
This works, but still no idea why, if someone could explain it I'm sure it would save a lot of headaches in the future.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
FortiGate problem 8 72
Force VPN connection to use a network adapter 6 54
Cisco iWAN 8 44
Server Room Hardware 5 45
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now