Solved

Cicso router NAT/ACL issue

Posted on 2013-01-20
10
773 Views
Last Modified: 2013-01-20
Hello, I am new here and have a question that seems to be going unanswered in other forums. So I have a Cisco 1921 ISR to replace our current solution, which is buggy and freezes daily. I have outside access in, and can ping/resolve hostnames from client computers and the router. We have serveral servers inside that are assigned private addresses that require NAT from the outside in. I have messed with ACL's and just settled on a permit any setup until I can get the NAT working, however, I cannot connect figure this out.

I have permit any applied to both outside and inside interfaces (in), but the NAT still doesnt work. This is driving me crazy, as this is my first time using the Cisco CLI. I tried Cisco CP, but that is no help either. Below is my running-config. Thank you for your help!


Current configuration : 4606 bytes
!
! Last configuration change at 23:46:01 UTC Sun Jan 20 2013
version 15.1
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service compress-config
!
hostname ***Office_Local
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 /x.XXZBXS7rpLl3dj39.iDAFlt5lGcjTiUlUCQucW3U
!
no aaa new-model
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.1.1.1 10.1.1.10
!
ip dhcp pool LAN
 network 10.1.1.0 255.255.255.0
 domain-name *******s.com
 dns-server ***.***.95.2 ***.***.94.250
 default-router 10.1.1.1
!
!
no ip bootp server
ip domain name rushstarwireless.com
ip name-server ***.***.95.2
ip name-server ***.***.94.250
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-810841858
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-810841858
 revocation-check none
 rsakeypair TP-self-signed-810841858
!
!
crypto pki certificate chain TP-self-signed-810841858
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38313038 34313835 38301E17 0D313231 30323932 31303732
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 30383431
  38353830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C925E5CB 784751A9 A03B0B5E 42B3AECA 7C04F3B3 29C06A3C 6CD3DC9C D842304F
  A99358BF 461F2019 4CF44369 1F463CAB 35FCFCCE 9FC3A5CC AD42EE14 83069FB2
  2AC82A69 146C265F 1595C4EA DF81AD83 4751A2DA A164ACFC 0FE36ED3 44544D66
  22E425A2 AC80DCC5 10ADC41A E2C4F4EE B98651C4 FB44FB1F 565B31C0 ACD82315
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 168014D1 367C56F0 E54B0E34 3CEDE18B DB7D5262 8D57ED30 1D060355
  1D0E0416 0414D136 7C56F0E5 4B0E343C EDE18BDB 7D52628D 57ED300D 06092A86
  4886F70D 01010505 00038181 006783F1 F2A10C59 F13EBE29 9BD17BB3 0D3138C5
  7664CD13 73E655BC DBC9C90E 8426D481 44E9D3E7 770EED7A 2AC09C70 467B06BD
  01F00AF9 4C94BA64 57DB99CC BCA9B746 6F49631C 3978EFF8 1ECE898C 3DAC8445
  068F3674 68C10BDC 830729AA 995C493C FA52EC6E 1EBE7F27 D04BD8B8 80F8DB1B
  E7C1D8E9 5C897E14 F40ABDE1 B9
        quit
license udi pid CISCO1921/K9 sn FGL16442155
!
!
username RSWAdmin privilege 15 secret 4 /x.XXZBXS7rpLl3dj39.iDAFlt5lGcjTiUlUCQucW3U
username admin privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
redundancy
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description TimeWarner_******
 ip address ***.***.***.210 255.255.255.252
 ip access-group Internet in
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description Internal LAN
 ip address 10.1.1.1 255.255.255.0
 ip access-group Internet in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool NAT_LAN ***.***.***.210 ***.***..210 prefix-length 30
ip nat pool RTP_FWD 10.1.1.5 10.1.1.5 netmask 255.255.255.0 type rotary
ip nat inside source list 10 pool NAT_LAN overload
ip nat inside source static tcp 10.1.1.181 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.1.1.181 80 interface GigabitEthernet0/0 80
ip nat inside destination list 100 pool RTP_FWD
ip route 0.0.0.0 0.0.0.0 ***.***.***.209
!
ip access-list standard Internet
 permit any
!
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.1.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 30
 password 7 107C4D0E091815020F55786A
 login
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
0
Comment
Question by:StanKravets
10 Comments
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Can you ping 4.2.2.2 or 8.8.8.8 from the router?

Do the servers that are NAT'd have 10.1.1.1 as their default route?
0
 

Author Comment

by:StanKravets
Comment Utility
Yes, I can ping 4.2.2.2 and 8.8.8.8 from both the router and the server. And the server has 10.1.1.1 as its default gateway.
0
 

Author Comment

by:StanKravets
Comment Utility
Also, when i go to the url of our server, it resolves to our global ip, but it asks for router access verification, so it is going to 10.1.1.1 instead of 10.1.1.181
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
>ip nat inside destination list 100 pool RTP_FWD
Remove this line

>ip access-group Internet in
Remove this from both interfaces
replace with below:

ip access-list extended Outside_in
 permit tcp any host ***.***.***.210 eq 443
 permit tcp any host ***.***.***.210 eq 80
 permit udp any eq domain any
 permit tcp any any established
 permit icmp any any

interface gig 0/0
 ip access-group Outside_in

>ip nat pool NAT_LAN ***.***.***.210 ***.***..210 prefix-length 30
>ip nat pool RTP_FWD 10.1.1.5 10.1.1.5 netmask 255.255.255.0 type rotary
>ip nat inside source list 10 pool NAT_LAN overload
Remove all of these and replace with:

 ip nat inside source list 10 interface Gigabit0/0 overload
0
 

Author Comment

by:StanKravets
Comment Utility
Thank you for the reply lrnmoore, it definitely cleaned up the file. I now have access to the web server from outside clients, but for inside clients who need to access the site, it takes me to the CCP Xpress page, any ideas to allow internal clients access?

I also added:

ip nat inside source static tcp 10.1.1.181 3389 interface gigabit0/0 3395

and:

permit tcp any host ***.***.***210 eq 3389
permit tcp any host ***.***.***210 eq 3395

to permit rdp from outside locations into the server, but it will not translate. If I rdp to 10.1.1.181 it works just fine. Any ideas? Thanks again for the help!
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Expert Comment

by:cgitek
Comment Utility
What happens if you map to the interface instead of the pool?

ip nat inside source list 10 interface GigabitEthernet0/0 overload

Edited: I see this has already been answered.
0
 

Author Comment

by:StanKravets
Comment Utility
So I called someone on an outside network and they were able to rdp and access the web server from an outside network, but I cannot from the inside. There seems to be something forwarding between the interfaces maybe? Any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Ah, the conundrum of trying to use the public ip for internal clients.
Internal clients' dns must resolve the web site to the internal 10.x.x.x ip address whilst external clients resolve to the public IP. simple as that.
0
 

Author Comment

by:StanKravets
Comment Utility
so if I enable dns on the router and set it to resolve the server fqdn to 10.1.x.x, and set dhcp to assign 10.1.1.1 as the primary dns. Would this in theory work?
0
 

Author Comment

by:StanKravets
Comment Utility
I found that NAT NVI should work and I will try tomorrow. Either way, my current problem seems to be solved. Thanks so much for the help!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now