Link to home
Create AccountLog in
Avatar of Rick-TL
Rick-TL

asked on

Inbound NAT and ACL for Cisco 1941 Router with Multiple Public IP addresses

Hi Experts,

I ma hoping that some one can assist me with this issue. I have been configuring cisco routers and working with IOS for many years, but for some reason, this particular router and configuration is giving me grief. I have searched the knowledge based and the web and believe that I have come up with several ways of doing what I am trying to achieve but it does not appear to be working, even though I beleive it to be a rather basic configuration.

Some Information about our setup and router:
Router: Cisco 1941  IOS Ver 15.1(4) M4
Lic: CISCO1941/K9

There are no options installed so we are using the basic G0/0 and G0/1

See attached for network diagram but what we are trying to do is:

WAN (G0/0) Connected to ISP Via Dailer 0 using PPPoE and assinged STATIC IP (this works)
                       ISP have assigned us a block of routed public IPs /29  (not sure if this works)

LAN (G01/) Basic Class C lan 192.168.20.0/24 ... with PCs and Server... This is OK and connected via a BASIC switch


On the LAN we have Three Servers that require certain Ports Opened and to be able to send a recieve data utilising IP address from the block of assigned public addresses

So all PCs and any other devices can communicate using NAT and over flow on any IP ... at this stage I am using the "FIXED" DHCP assinged address of x.x.x.182/30 with overload



Server 1 needs ports opend and need to receive connection and send data on IP x.x.x.171
Server 2 needs ports opend and need to receive connection and send data on IP x.x.x.170
Server 2 needs ports opend and need to receive connection and send data on IP x.x.x.169

See Network Diagram for ports needed.

This may be detailed, but maybe we can start with some assistance on just getting one server to be accessed over one port....Say Server 3 to be accessed via x.x.x.169

So far all I can get working is the router connected to the ISP and computers on the LAN able to NAT out to the internet using the x.x.x.182 IP address,

Please see my Current Configuration attached.

I appreciate all your help as I can not see where I am going wrong...

I should mention that when I apply the config below I have no access to the Internet from any device nor do I have access over the port that I am trying to open...although outboubnd connection appear to be getting established, nthing appears to be comming back in, not even return traffic... (after I clear the Dynamic translations) ... See Tranlation info below config...

 no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool labtech-pool 203.191.195.169 203.191.195.169 prefix-length 29
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map labtech-map pool labtech-pool overload


TScisco1941# sh run
Building configuration...

Current configuration : 4512 bytes
!
! Last configuration change at 00:18:30 UTC Fri Feb 15 2013 by admin
! NVRAM config last updated at 22:29:09 UTC Thu Feb 14 2013 by admin
! NVRAM config last updated at 22:29:09 UTC Thu Feb 14 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TScisco1941
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server a.a.a.35
ip name-server a.a.a.36
ip name-server 8.8.8.8
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
vpdn-group pppoe
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-797434279
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-797434279
 revocation-check none
 rs
Feb 15 00:18:31.869: %PLATFORM-6-ENERGYWISE_CLI: 'show platform hw-module-power' CLI is deprecated. Refer documentation of this CLI.akeypair TP-self-signed-797434279
!
!
crypto pki certificate chain TP-self-signed-797434279
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37393734 33343237 39301E17 0D313330 32313432 32323431
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3739 37343334
  32373930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CC598F4C 199A1335 2A26CC5B A217BAF0 90FCE8EB C01E7133 9C555BCE 2B8F0FC5
  02766084 15ACA1E0 356EAC75 D56E5AC6 DEDE6EA7 B0B69B82 6F7569C5 D6505190
  64FAEDAA C58F9103 5B2DA49E 07F1E1FF 4CE98CF7 AF2DB814 6DEAA57F A8CBA907
  F8346E45 65A308D0 358FE40F 1C89F92D 47BC555A C1B957C0 97F15385 30EBF00D
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 16801475 826C9F6D 4A8D2FF0 39755D7F C4913E54 A5D92C30 1D060355
  1D0E0416 04147582 6C9F6D4A 8D2FF039 755D7FC4 913E54A5 D92C300D 06092A86
  4886F70D 01010505 00038181 00A23A93 40A0BF1A 33BE8E70 164E4067 0BF1D06C
  71EEB8EE 572C4CA5 61322721 5BE204BB 0108874E 965DB39D 466126DF 617771BF
  3293FF36 5628AE4B 87B44698 CB8F81BB E5C2BE80 247126D4 40530A4A E5E09E13
  C228038D BB56B332 4D55F140 B38FA4EE 7295F50F 64E71E44 B2870037 1CA257CA
  AE780505 48A3DEA9 998ADC0F CD
        quit
license udi pid CISCO1941/K9 sn FGL164227A3
!
!
username admin privilege 15 password 0 adfadfadf
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description TPG Ethernet Link
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex full
 speed 100
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
!
interface GigabitEthernet0/1
 description *** TS LAN ***
 ip address 192.168.20.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip policy route-map labtech-map
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxx password 0 xxxxxxx
 no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool labtech-pool x.x.x.169 x.x.x.169 prefix-length 29
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map labtech-map pool labtech-pool overload
ip nat inside source static tcp 192.168.20.20 3389 x.x.x.169 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended labtech-acl
 permit tcp any any established
 permit tcp host 192.168.20.20 any
 permit tcp host x.x.x.169 host 192.168.20.20 eq 3389
!
access-list 1 deny   192.168.20.20
access-list 1 permit 192.168.20.0 0.0.0.255
!
route-map labtech-map permit 10
 match ip address labtech-acl
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 20 0
 password xxxxxxxxxxxxx
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 20 0
 password xxxxxxxxxxxxxxx
 transport input all
!
scheduler allocate 20000 1000
end

TScisco1941#




********************************

TScisco1941#show ip nat tra
Pro Inside global      Inside local       Outside local      Outside global
tcp x.x.x.169:3389 192.168.20.20:3389 ---              ---
udp x.x.x.182:22958 192.168.20.20:22958 122.106.126.242:34395 122.106.126.242:34395
tcp x.x.x.182:50763 192.168.20.20:50763 50.115.127.37:8080 50.115.127.37:8080
tcp x.x.x.182:50776 192.168.20.20:50776 216.52.233.131:443 216.52.233.131:443
tcp x.x.x.182:50780 192.168.20.20:50780 216.52.233.131:443 216.52.233.131:443
TScisco1941#clear ip nat tran
TScisco1941#clear ip nat translation *
TScisco1941#show ip nat tra
Pro Inside global      Inside local       Outside local      Outside global
tcp 203.191.195.169:3389 192.168.20.20:3389 ---              ---
TScisco1941#

.... then we wait a few min... and we get this.... but still no inbound connections alllowed... no even return traffic....


TScisco1941#show ip nat tra
Pro Inside global      Inside local       Outside local      Outside global
tcp 203.191.195.169:3389 192.168.20.20:3389 ---              ---
tcp 203.191.195.169:50780 192.168.20.20:50780 216.52.233.131:443 216.52.233.131:443
tcp 203.191.195.169:50898 192.168.20.20:50898 50.115.127.37:80 50.115.127.37:80
tcp 203.191.195.169:50899 192.168.20.20:50899 50.115.127.37:8080 50.115.127.37:8080
tcp 203.191.195.169:50900 192.168.20.20:50900 50.115.127.36:443 50.115.127.36:443
TScisco1941#


Sorry for the very long post... But I am hoping that if I provide the info, it might be easier for some one to find an error in my config....
Avatar of rauenpc
rauenpc
Flag of United States of America image

I don't think you need to define any nat pools for what you need. Just do the static nat translations for the servers and their ports, and let the overload statement catch any other outgoing traffic.

If you are still having problems, first make sure that you can use the other IPs all together. Maybe hook a laptop directly to the Dsl modem and try to communicate with a non "dhcp" address. I've run in to issues in the past where I could only use the dhcp ip and I had to get the ISP involved to fix it.
Avatar of Rick-TL
Rick-TL

ASKER

Hi  rauenpc,

I have tried using basic NAT translations, but the issue I had there was that data would come in via one static IP address, but sometimes go out via the overload ip address... causing an issue. Maybe if you look at the network diagram of what we are trying to do it will provide a clearer picture.

I have a case open with the ISP to ensure that the block of IP addresses can be routed and also to verify that they are not blocking any ports... but they have assured me that the blocked is routed and no ports are blocked from their side. I also had an issue when I tried to do a simple NAT with an ACL for port 3389 using the Dialer0 interface fixed ip.

Also some other info attached.
TS-LAN.jpg
sh-ip-int-bri.txt.txt
sh-ip-int.txt.txt
Other-Info.txt.txt
The following documents may provide some ideas although I suspect you have already seen them:

Configuring Network Address Translation: Getting Started - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

Set up Port Address Translation (PAT) in the Cisco IOS - http://www.techrepublic.com/article/set-up-port-address-translation-pat-in-the-cisco-ios/1053789
Avatar of Rick-TL

ASKER

Hi All,

Thank you for your help so far, but it looks like it was partly an ISP issue who had forgotten to advertise our IP address block (thanks for the tip rauenpc). So most issues are now resolved.

Although I would appreciate some assistance understanding ACLs and route maps to ensure that I am applying them correctly.... I have read a number of posts, but it appears I have not interpreted them correctly.

I have this information :


interface Dialer0
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip policy route-map labtech-map
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname zzzzzzzzzzz
 ppp chap password zzzzzzzzzz
 ppp pap sent-username zzzzzzzzzz password 0 zzzzzzzz
 no cdp enable

ip nat pool labtech-pool x.x.x.169 x.x.x.169 prefix-length 29
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map labtech-map pool labtech-pool overload
ip nat inside source static tcp 192.168.20.20 3389 x.x.x.169 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended labtech-acl
 permit tcp any any established
 permit tcp host x.x.x.169 host 192.168.20.20 eq 3389
 permit tcp host 192.168.20.20 any
!
access-list 1 deny   192.168.20.20
access-list 1 permit 192.168.20.0 0.0.0.255
!
route-map labtech-map permit 10
 match ip address labtech-acl


I am trying to use the route maps to do the following.

Generally All traffic should go out via the x.x.x.182 address
But server 192.168.20.20   should accept inbound connections on x.x.x.169 and talk outbound also via x.x.x.169.

I thought that by appling an explict deny for 192.168.20.20 on acess-list 1, and then by allowing traffic on the labtech-acl would achieve this, but when I apply this config... the inbound 3389 connection works, but I have no out bound access from server 192.168.20.20.

As a test, if I remove the Deny in access-list 1... access to the internet will work, but traffic will flow out via x.x.x.182 and not the required x.x.x.169...

Just as an FYI... the ultimate aim is to have computers and most servers that do not require inbound connections to communicate over the x.x.x.182 address and then have a few servers as per the attached image (TS-lan) above to communicate using our statically assinged public ip address with port forwarding.

Thank you.
Avatar of Rick-TL

ASKER

Hi Just an update,

We do not have the security lic on this device it is only a 1941/K9... so we are no able to use ip inspect... so I am trying to do this by allowing establised traffic to pass... but am not able to achieve this on the labtech-pool or the x.x.x.169 ip adress.

I have also tried this config but still no good... Does any one have any suggestions???


ip nat pool labtech-pool x.x.x.169 x.x.x.169 prefix-length 29
ip nat inside source list default-acl interface Dialer0 overload
ip nat inside source route-map labtech-map pool labtech-pool overload
ip nat inside source static tcp 192.168.20.20 3389 x.x.x.169 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended default-acl
 deny   tcp host 192.168.20.20 any
 permit tcp any any established
 permit ip any 192.168.20.0 0.0.0.255
ip access-list extended labtech-acl
 permit tcp host 192.168.20.20 any
!
route-map labtech-map permit 10
 match ip address labtech-acl

Again if I remove the explicit Deny it works but traffic goes out via x.x.x.182

Thank you.
ASKER CERTIFIED SOLUTION
Avatar of Frabble
Frabble
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer