Solved

NAT Question

Posted on 2013-05-16
18
466 Views
Last Modified: 2013-05-30
Was asked about this and unsure - but here is the situation

I have a cisco router with 1 ISP (public ip 1.1.1.1) and 1 LAN interface (192.168.100.1). I have port forwarding setup so that port 8080 on 1.1.1.1 will go to a certain IP on the inside (192.168.100.5). All users are PAT'ed to the 1.1.1.1 address with the overload command for outbound connections.

What I need to happen is this - when a user inside (192.168.100.x) tried to access 1.1.1.1:8080 the router will need to nat him back inside and allow him to access that server

I accomplish this on an ASA by using the nat(inside,inside) command but unsure how to do this on a router or even what search parameters to use in google/cisco tech pages

any thoughts or help?
0
Comment
Question by:2knetworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
18 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39171144
this doesn't sound like a NAT/PAT issue.  you said you configured PAT already.  so when a user goes out, a translation entry is added to a nat translations table

show ip nat translation

what it sounds like is a stateful firewall issue since you are using a router it doesn't do it by default.  ASA's because they are meant to be firewalls most always have stateful features turned on out of the box.  IOS devices don't do this.  So when the 192.168.100.x client connects to 1.1.1.1:8080, it creates the translation entry because one doesn't exist but it also (I'm guessing) doesn't have an ACL applied to the inside interface in the inbound direction so the traffic is allowed.  The return traffic doesn't have an ACL that allows that packet specifically so it doesn't even get to the point where it looks up the nat translation entry to be able to get the packet back to the client.  Stateful firewalling dynamically creates those ACL entries to allow that return traffic because the original start of the "conversation" was allowed.

What you need to do is configure "inspection" and I would recommend using "zone based firewall" mechanism as that is the latest and most supported way to do firewalling on IOS devices.

Here is a doc outlining how to define zones, assign interfaces, create policies, and apply them.  https://supportforums.cisco.com/docs/DOC-27487

If you have any questions (which is most likely I'm guessing) please let me know and I'll try to answer any followup questions you have.
0
 

Author Comment

by:2knetworks
ID: 39171185
I will put this on a router and let you know how it works - sounds like I will just need to also put the inspect command on the inside zone then?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39171236
you'll need to convert your current outside to inside to this as well so you'll be adding inspection there as well or it'll start getting denied.  zone based is much different than old style of simply creating an ACL and applying to an interface.

If you really don't want to do that, CBAC style (the style being replaced) should still be valid syntax so you could look into using that which only involves adding inspect statements to the config and might be easier for you to implement.

http://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/

It's up to you whichever you think is better.  I just brought up zone based as I know that is the current way Cisco wants things to be done.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:2knetworks
ID: 39171589
So I tried the CBAC style for a quick attempt --did not work, the problem may be I am patting to the same address I am trying to access

the IP address does not show up in the IP nat translations

this is what shows
tcp GigabitEthernet0/0 _IP:55327    10.15.1.11:55327      xxxxxx:443      xxxxxx::443
tcp GigabitEthernet0/0 _IP:63491    10.15.1.11:63491      xxxxxx::443      xxxxxx::443


here are my nat statements

ip nat inside source list ls_acl interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.15.4.152 80 interface GigabitEthernet0/0 8087
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39171669
CBAC doesn't care about PAT/NAT/DynNAT.  It all processes things in a way to make that a moot point (e.g. won't translate then evaluate return traffic so IPs are different and mess up lookup)

Can you post the ACLs you have and the CBAC you configured so far.
0
 

Author Comment

by:2knetworks
ID: 39171690
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp

interface GigabitEthernet0/0
ip access-group FIREWALL in

ip access-list extended FIREWALL
 permit ip any any


I am just starting with an any any ACL now to make sure I get it working before adding anything else
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39171764
first off, if you are allowing all traffic, for routers you can just leave off the ACL "ip access-group" application and its the same thing

you created the inspect list but didn't apply it.  you need to apply it as the traffic is leaving the router.  so if G0/1 is the outside interface you'd do this

int g0/1
ip inspect firewall out

this will inspect the traffic as it is leaving that interface and record the necessary data for when the return traffic comes back.
0
 

Author Comment

by:2knetworks
ID: 39171799
sorry I do have the command on there - I did not copy it over

interface GigabitEthernet0/0
 ip address xxxxxxxxxxxxxxxxxxxxx
 ip access-group FIREWALL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect FIREWALL out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 service-policy output SHAPE
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39172009
the name is case sensitive I'm pretty sure so if you used all caps applying it and all lowercase creating it, the ip inspect list you created actually never gets applied
0
 

Author Comment

by:2knetworks
ID: 39172603
ok so the case has now been corrected - and still same issue
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174466
well that's not good.  that should work.  please post config again.  also what device is this (model) and what IOS version are you running.  I'll try to get my routers at home semi-mirrored to yours to see if I can figure it out as based on what I see right now it all looks good.

finally before you do that try the audit-trail and debug stuff in that link I gave you earlier.  see if that helps at all.
0
 

Author Comment

by:2knetworks
ID: 39194123
ip nat inside source static tcp 10.15.4.10 80 interface GigabitEthernet0/0 8081
ip nat inside source list ls_acl interface GigabitEthernet0/0 overload

ip access-list extended FIREWALL
 permit ip any any

interface GigabitEthernet0/0
 ip address xxxxxxxxxxxxxxxxxx
 ip access-group FIREWALL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect firewall_out out

ip inspect name firewall_out tcp
ip inspect name firewall_out udp




the audit trail debug never really showed it making a connection back in
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39196046
ok, well i'm sorry but I led you down the wrong road.  I've been looking over this for a few hours as it's irritating me now.  I know this is possible but its not the inspect thing (not saying that may not be part of the problem though as IOS acl's are stateless by default so inspects most likely are needed).  however, what I'm seeing is that your client will be translated but at that point it makes up its mind where it is forwarding.  The only way that the 1.1.1.1 gets translated to the inside server is if the packet is received on that 'ip nat outside' interface.  because it isn't actually being received there, it can't do it.  I got it working in my lab setup by switching the inside interface to an outside but then it breaks it for clients going out to anything else (so obviously no go on that one).

trying to figure out how to do a destination nat for packets being received on the inside interface but calling it quits for tonight.  just figured I give ya an update and to say I'm not leaving you out to dry
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39196101
Been looking at another way to doing nat:  domain-less.

http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/

looks like it'll solve your problem but haven't fully tested it out yet to ensure no side effects.  will let you know later.  way past bed time at this point.  :)
0
 

Author Comment

by:2knetworks
ID: 39208885
any update?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39208906
sorry, planning on testing this further tonight.  just been slammed with work and family lately I haven't had a chance to look at it again.  Have some time tonight after work though.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39209722
ok, from my tests everything works good by using the NVI (or domain-less as that link I gave calls it) NAT config instead of using inside/outside nat statements

what you do is replace 'ip nat inside' and 'ip nat outside' with 'ip nat enable'
then redo the 'ip nat inside source...' and just remove the 'inside' word, everything else the same.

this will allow all natting to happen the way you are wanting because it changes how nat works.

old style  requires a packet to flow thru the router in order to have nat'ing happen.  this is fine if we are having an internal host connect to an external host or vice versa, but not if we try to have an internal client talk to an internal server via router nat.  The reason is that when inside nat happens, a routing decision is made before the nat happens.  Thus it is already committing to sending it out the outside interface.  Of course then it doesn't really have anywhere to send it since it can't take it back in.  So it gets dropped.

the new way involves taking packets into the router and using nat that will actually forward packets to an NVI, NAT Virtual Interface.  This solves the previous problem because a routing decision is made, then nat happens, then routing is done again.  This allows for a client to forward to the router and have the client be natted to an "outside" IP and then also have the "outside" server IP natted to the internal server and finally forwarded back out the inside interface because of the routing being relooked at after it comes out of the NVI interface which is after all natting happens.

hope that explains it.  with that said, this is kind of a big change to the way you're doing NAT so make sure to backup your entire config and to have local (or even console access) to the router just in case things go wrong.  They shouldn't but lets face it, in IT, nothing is guaranteed and theory doesn't always meet reality so its best to play it safe.
0
 

Author Closing Comment

by:2knetworks
ID: 39209819
very helpful and well put
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses
Course of the Month3 days, 14 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question