Solved

Cisco NAT to public subnet attached to outside interface

Posted on 2013-01-22
4
673 Views
Last Modified: 2014-11-14
Hello,


 With the below configuration, we're attempting to access in the public IP subnet directly attached to FE 0. Specifically, computers in the 192.168.160.0/24 and 192.168.161.0/24 subnets are attempting to access 162.95.44.51 & 162.95.44.52. They are able to ping these addresses, but the web service on port 80 at those servers do not return. We are able to access these IP addresses and ports from a different connection however.

192.168.160.0/24 & 192.168.161.0/24 are behind a NAT process and 162.95.44.0/26 is on the outside of this NAT. In the "PAT" access list, I've previously added a rule at line 3, before the permit statements, to deny source 192.168.0.0/16 to destination162.95.44.0/26 this should effecticly allow packets through to our public subnet without being NAT'd.. Resources in that subnet have applicable routes back to the private networks. When I do this, nothing works not even pings.

I would like to keep using NAT to access servers 162.95.44.0/26 subnet



version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
!
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name xxxxxxx
!
multilink bundle-name authenticated
async-bootp dns-server 192.168.161.3 10.80.1.10 10.20.1.11
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel receive-window 256
!
!
!
username gdiadmin privilege 15 secret 5 xxxxxxxxxxxx
!
crypto logging session
!
crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 5
crypto isakmp key xxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set AES128-MD5 esp-aes esp-md5-hmac
 mode transport
crypto ipsec fragmentation after-encryption
!
crypto map Secure_Tunnels 20 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set AES128-MD5
 match address 120
crypto map Secure_Tunnels 40 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set AES128-MD5
 match address 140
crypto map Secure_Tunnels 41 ipsec-isakmp
 set peer 3.3.3.3
 set transform-set AES128-MD5
 match address 141
crypto map Secure_Tunnels 61 ipsec-isakmp
 set peer 4.4.4.4
 set transform-set AES128-MD5
 match address 161
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface Loopback30
 ip address 10.30.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback107
 ip address 10.30.7.1 255.255.255.0
 ip ospf network point-to-point
!
interface Tunnel20
 bandwidth 3000
 ip address 10.255.248.30 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf message-digest-key 1 md5 7 xxxxxxx
 ip ospf mtu-ignore
 tunnel source FastEthernet0
 tunnel destination 1.1.1.1
!
interface Tunnel40
 bandwidth 3000
 ip address 10.255.248.162 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf message-digest-key 1 md5 7 xxxxxxx
 ip ospf mtu-ignore
 tunnel source FastEthernet0
 tunnel destination 2.2.2.2
!
interface Tunnel41
 bandwidth 3000
 ip address 10.255.248.222 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip ospf message-digest-key 1 md5 7 xxxxxxx
 ip ospf mtu-ignore
 tunnel source FastEthernet0
 tunnel destination 3.3.3.3
!!
interface FastEthernet0
 bandwidth 3000
 ip address 162.95.44.2 255.255.255.192
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 160
!
interface FastEthernet3
 switchport access vlan 161
!
interface FastEthernet4
 switchport access vlan 162
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Virtual-Template1
 mtu 1400
 ip unnumbered Loopback107
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool StPaul-VPN-Pool
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap
!
interface Vlan1
 no ip address
!
interface Vlan160
 description "To DMZ"
 ip address 192.168.160.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan161
 description "To LAN"
 ip dhcp relay information check-reply
 ip address 192.168.161.1 255.255.255.0
 ip helper-address 192.168.161.3
 ip helper-address 192.168.161.9
 ip nat inside
 ip virtual-reassembly
!
interface Vlan162
 description "To Guest"
 ip address 192.168.162.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
router ospf 1
 router-id 10.30.0.0
 no log-adjacency-changes
 auto-cost reference-bandwidth 1000
 area 0 authentication message-digest
 redistribute static subnets
 passive-interface default
 network 10.0.0.0 0.255.255.255 area 0
!
ip local pool StPaul-VPN-Pool 10.30.7.10 10.30.7.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0 162.95.44.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list PAT interface FastEthernet0 overload
ip nat inside source static tcp 192.168.160.7 80 162.95.44.7 80 extendable
ip nat inside source static tcp 192.168.160.8 21 162.95.44.8 21 extendable
ip nat inside source static tcp 192.168.161.8 80 162.95.44.9 80 extendable
ip nat inside source static tcp 192.168.161.8 9999 162.95.44.9 9999 extendable
ip nat inside source static tcp 192.168.161.12 25 162.95.44.10 25 extendable
ip nat inside source static tcp 192.168.161.12 80 162.95.44.10 80 extendable
ip nat inside source static tcp 192.168.161.12 443 162.95.44.10 443 extendable
ip nat inside source static tcp 192.168.161.12 6001 162.95.44.10 6001 extendabl
e
ip nat inside source static tcp 192.168.161.12 6002 162.95.44.10 6002 extendabl
e
ip nat inside source static tcp 192.168.161.12 6004 162.95.44.10 6004 extendabl
e
ip nat inside source static tcp 192.168.160.11 80 162.95.44.11 80 extendable
ip nat inside source static tcp 192.168.161.43 1027 162.95.44.17 1027 extendabl
e
ip nat inside source static tcp 192.168.161.43 8377 162.95.44.17 8377 extendabl
e
ip nat inside source static tcp 192.168.161.43 8379 162.95.44.17 8379 extendabl
e
ip nat inside source static tcp 192.168.161.43 8390 162.95.44.17 8390 extendabl
e
ip nat inside source static tcp 192.168.161.18 8395 162.95.44.18 8395 extendabl
e
ip nat inside source static tcp 192.168.161.18 8399 162.95.44.18 8399 extendabl
e
ip nat inside source static tcp 192.168.161.26 80 162.95.44.20 80 extendable
ip nat inside source static tcp 192.168.161.20 8377 162.95.44.21 8377 extendabl
e
ip nat inside source static tcp 192.168.161.20 8379 162.95.44.21 8379 extendabl
e
ip nat inside source static tcp 192.168.161.48 8384 162.95.44.24 8384 extendabl
e
ip nat inside source static tcp 192.168.161.48 8385 162.95.44.24 8385 extendabl
e
ip nat inside source static tcp 192.168.161.50 8377 162.95.44.25 8377 extendabl
e
ip nat inside source static tcp 192.168.161.50 8379 162.95.44.25 8379 extendabl
e
ip nat inside source static tcp 192.168.161.51 8377 162.95.44.27 8377 extendabl
e
ip nat inside source static tcp 192.168.161.51 8379 162.95.44.27 8379 extendabl
e
ip nat inside source static tcp 192.168.161.29 8377 162.95.44.41 8377 extendabl
e
ip nat inside source static tcp 192.168.161.29 8379 162.95.44.41 8379 extendabl
e
ip nat inside source static tcp 192.168.161.28 80 162.95.44.42 80 extendable
ip nat inside source static tcp 192.168.161.28 8377 162.95.44.42 8377 extendabl
e
ip nat inside source static tcp 192.168.161.28 8400 162.95.44.42 8400 extendabl
e
ip nat inside source static 192.168.161.44 162.95.44.44 route-map WrightHennepi
n extendable
ip nat inside source static tcp 192.168.161.45 8377 162.95.44.45 8377 extendabl
e
ip nat inside source static tcp 192.168.161.45 8381 162.95.44.45 8381 extendabl
e
ip nat inside source static tcp 192.168.161.27 8379 162.95.44.46 8379 extendabl
e
ip nat inside source static tcp 192.168.161.47 8377 162.95.44.47 8377 extendabl
e
ip nat inside source static tcp 192.168.161.47 8379 162.95.44.47 8379 extendabl
e
ip nat inside source static tcp 192.168.161.47 8380 162.95.44.47 8380 extendabl
e
ip nat inside source static tcp 192.168.161.47 8381 162.95.44.47 8381 extendabl
e
ip nat inside source static tcp 192.168.161.19 8377 162.95.44.49 8377 extendabl
e
ip nat inside source static tcp 192.168.161.19 8380 162.95.44.49 8380 extendabl
e
ip nat inside source static tcp 192.168.161.56 8377 162.95.44.56 8377 extendabl
e
ip nat inside source static tcp 192.168.161.56 8379 162.95.44.56 8379 extendabl
e
ip nat inside source static tcp 192.168.161.57 8377 162.95.44.57 8377 extendabl
e
ip nat inside source static tcp 192.168.161.57 8379 162.95.44.57 8379 extendabl
e
ip nat inside source static tcp 192.168.161.58 8377 162.95.44.58 8377 extendabl
e
ip nat inside source static tcp 192.168.161.58 8379 162.95.44.58 8379 extendabl
e
ip nat inside source static tcp 192.168.161.38 80 162.95.44.60 80 extendable
ip nat inside source static tcp 192.168.161.38 8080 162.95.44.60 8080 extendabl
e
!
ip access-list extended BGE-RDP-ACCESS
 permit tcp host 192.168.161.37 eq 3389 host x.x.x.x
 permit tcp host 192.168.161.37 eq 3389 host x.x.x.x
 permit tcp host 192.168.161.37 eq 3389 host x.x.x.x
!
ip access-list extended PAT
 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip 192.168.160.0 0.0.0.255 any
 permit ip 192.168.161.0 0.0.0.255 any
 permit ip 192.168.162.0 0.0.0.255 any
!
ip access-list extended WrightHennepin
 permit udp host 192.168.161.44 host x.x.x.x range 10000 10200
!
ip radius source-interface Loopback30
access-list 120 permit gre host 162.95.44.2 host 1.1.1.1
access-list 140 permit gre host 162.95.44.2 host 2.2.2.2
access-list 141 permit gre host 162.95.44.2 host 3.3.3.3
access-list 161 permit ip 10.0.0.0 0.255.255.255 10.61.0.0 0.0.255.255
!
!
!
route-map BGE-RDP-ACCESS permit 10
 match ip address BGE-RDP-ACCESS
!
route-map WrightHennepin permit 10
 match ip address WrightHennepin
!
!
!
radius-server host 10.20.1.15 auth-port 1812 acct-port 1813
radius-server key 7 xxxxxxxxxxxxxxxxxxx
!
control-plane
!
banner motd ^CC
NOTICE TO USERS:


THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may
be intercepted, monitored, recorded, copied, audited, inspected,
and disclosed to authorized site and law enforcement personnel,
as well as authorized officials of other agencies, both domestic
and foreign.  By using this system, the user consents to such
interception, monitoring, recording, copying, auditing, inspection,
and disclosure at the discretion of authorized site personnel.

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and
consent to these terms and conditions of use.   LOG OFF IMMEDIATELY
if you do not agree to the conditions stated in this warning.
^C
!
line con 0
 privilege level 15
 speed 115200
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 3
 transport preferred ssh
 transport input ssh
line vty 4
 privilege level 15
 transport preferred ssh
 transport input ssh
!
ntp server 169.229.70.201
ntp server 24.124.0.251
ntp server 209.177.157.224
end

Open in new window

0
Comment
Question by:mharmon_geo
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38808551
Check the return path routing from the server going back to the nat'd client. When I have come across this, it was usually split routing with a firewall or nat device. Pings will work because they are stateless and many firewalls are configured to plainly allow pings regardless of state or interface source/destination which can lead to a false sense that things are routing correctly.

Also, check the arp table on the server immediately following a ping or http connection. You should see the correct source address and Mac of the router. Don't forget that servers can have static routes as well that can mess things up (those are among my most frustrating customer issues because I never think about that until hours in to troubleshooting).
0
 
LVL 6

Accepted Solution

by:
airwrck earned 500 total points
ID: 38808938
Your access-list is "upside down" - remember to permit the stuff you want to permit before denying the stuff you want to deny, otherwise it never gets there.  especially since 192.168.160, 161, and 162 are all encompassed in 192.168.0.0 0.0.255.255

Try this

ip access-list extended PAT
 permit ip 192.168.160.0 0.0.0.255 any
 permit ip 192.168.161.0 0.0.0.255 any
 permit ip 192.168.162.0 0.0.0.255 any
 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now