Solved

NAT Question

Posted on 2013-05-16
18
448 Views
Last Modified: 2013-05-30
Was asked about this and unsure - but here is the situation

I have a cisco router with 1 ISP (public ip 1.1.1.1) and 1 LAN interface (192.168.100.1). I have port forwarding setup so that port 8080 on 1.1.1.1 will go to a certain IP on the inside (192.168.100.5). All users are PAT'ed to the 1.1.1.1 address with the overload command for outbound connections.

What I need to happen is this - when a user inside (192.168.100.x) tried to access 1.1.1.1:8080 the router will need to nat him back inside and allow him to access that server

I accomplish this on an ASA by using the nat(inside,inside) command but unsure how to do this on a router or even what search parameters to use in google/cisco tech pages

any thoughts or help?
0
Comment
Question by:2knetworks
  • 10
  • 8
18 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
this doesn't sound like a NAT/PAT issue.  you said you configured PAT already.  so when a user goes out, a translation entry is added to a nat translations table

show ip nat translation

what it sounds like is a stateful firewall issue since you are using a router it doesn't do it by default.  ASA's because they are meant to be firewalls most always have stateful features turned on out of the box.  IOS devices don't do this.  So when the 192.168.100.x client connects to 1.1.1.1:8080, it creates the translation entry because one doesn't exist but it also (I'm guessing) doesn't have an ACL applied to the inside interface in the inbound direction so the traffic is allowed.  The return traffic doesn't have an ACL that allows that packet specifically so it doesn't even get to the point where it looks up the nat translation entry to be able to get the packet back to the client.  Stateful firewalling dynamically creates those ACL entries to allow that return traffic because the original start of the "conversation" was allowed.

What you need to do is configure "inspection" and I would recommend using "zone based firewall" mechanism as that is the latest and most supported way to do firewalling on IOS devices.

Here is a doc outlining how to define zones, assign interfaces, create policies, and apply them.  https://supportforums.cisco.com/docs/DOC-27487

If you have any questions (which is most likely I'm guessing) please let me know and I'll try to answer any followup questions you have.
0
 

Author Comment

by:2knetworks
Comment Utility
I will put this on a router and let you know how it works - sounds like I will just need to also put the inspect command on the inside zone then?
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
you'll need to convert your current outside to inside to this as well so you'll be adding inspection there as well or it'll start getting denied.  zone based is much different than old style of simply creating an ACL and applying to an interface.

If you really don't want to do that, CBAC style (the style being replaced) should still be valid syntax so you could look into using that which only involves adding inspect statements to the config and might be easier for you to implement.

http://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/

It's up to you whichever you think is better.  I just brought up zone based as I know that is the current way Cisco wants things to be done.
0
 

Author Comment

by:2knetworks
Comment Utility
So I tried the CBAC style for a quick attempt --did not work, the problem may be I am patting to the same address I am trying to access

the IP address does not show up in the IP nat translations

this is what shows
tcp GigabitEthernet0/0 _IP:55327    10.15.1.11:55327      xxxxxx:443      xxxxxx::443
tcp GigabitEthernet0/0 _IP:63491    10.15.1.11:63491      xxxxxx::443      xxxxxx::443


here are my nat statements

ip nat inside source list ls_acl interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.15.4.152 80 interface GigabitEthernet0/0 8087
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
CBAC doesn't care about PAT/NAT/DynNAT.  It all processes things in a way to make that a moot point (e.g. won't translate then evaluate return traffic so IPs are different and mess up lookup)

Can you post the ACLs you have and the CBAC you configured so far.
0
 

Author Comment

by:2knetworks
Comment Utility
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp

interface GigabitEthernet0/0
ip access-group FIREWALL in

ip access-list extended FIREWALL
 permit ip any any


I am just starting with an any any ACL now to make sure I get it working before adding anything else
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
first off, if you are allowing all traffic, for routers you can just leave off the ACL "ip access-group" application and its the same thing

you created the inspect list but didn't apply it.  you need to apply it as the traffic is leaving the router.  so if G0/1 is the outside interface you'd do this

int g0/1
ip inspect firewall out

this will inspect the traffic as it is leaving that interface and record the necessary data for when the return traffic comes back.
0
 

Author Comment

by:2knetworks
Comment Utility
sorry I do have the command on there - I did not copy it over

interface GigabitEthernet0/0
 ip address xxxxxxxxxxxxxxxxxxxxx
 ip access-group FIREWALL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect FIREWALL out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 service-policy output SHAPE
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
the name is case sensitive I'm pretty sure so if you used all caps applying it and all lowercase creating it, the ip inspect list you created actually never gets applied
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:2knetworks
Comment Utility
ok so the case has now been corrected - and still same issue
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
well that's not good.  that should work.  please post config again.  also what device is this (model) and what IOS version are you running.  I'll try to get my routers at home semi-mirrored to yours to see if I can figure it out as based on what I see right now it all looks good.

finally before you do that try the audit-trail and debug stuff in that link I gave you earlier.  see if that helps at all.
0
 

Author Comment

by:2knetworks
Comment Utility
ip nat inside source static tcp 10.15.4.10 80 interface GigabitEthernet0/0 8081
ip nat inside source list ls_acl interface GigabitEthernet0/0 overload

ip access-list extended FIREWALL
 permit ip any any

interface GigabitEthernet0/0
 ip address xxxxxxxxxxxxxxxxxx
 ip access-group FIREWALL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect firewall_out out

ip inspect name firewall_out tcp
ip inspect name firewall_out udp




the audit trail debug never really showed it making a connection back in
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
ok, well i'm sorry but I led you down the wrong road.  I've been looking over this for a few hours as it's irritating me now.  I know this is possible but its not the inspect thing (not saying that may not be part of the problem though as IOS acl's are stateless by default so inspects most likely are needed).  however, what I'm seeing is that your client will be translated but at that point it makes up its mind where it is forwarding.  The only way that the 1.1.1.1 gets translated to the inside server is if the packet is received on that 'ip nat outside' interface.  because it isn't actually being received there, it can't do it.  I got it working in my lab setup by switching the inside interface to an outside but then it breaks it for clients going out to anything else (so obviously no go on that one).

trying to figure out how to do a destination nat for packets being received on the inside interface but calling it quits for tonight.  just figured I give ya an update and to say I'm not leaving you out to dry
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
Been looking at another way to doing nat:  domain-less.

http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/

looks like it'll solve your problem but haven't fully tested it out yet to ensure no side effects.  will let you know later.  way past bed time at this point.  :)
0
 

Author Comment

by:2knetworks
Comment Utility
any update?
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
sorry, planning on testing this further tonight.  just been slammed with work and family lately I haven't had a chance to look at it again.  Have some time tonight after work though.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
Comment Utility
ok, from my tests everything works good by using the NVI (or domain-less as that link I gave calls it) NAT config instead of using inside/outside nat statements

what you do is replace 'ip nat inside' and 'ip nat outside' with 'ip nat enable'
then redo the 'ip nat inside source...' and just remove the 'inside' word, everything else the same.

this will allow all natting to happen the way you are wanting because it changes how nat works.

old style  requires a packet to flow thru the router in order to have nat'ing happen.  this is fine if we are having an internal host connect to an external host or vice versa, but not if we try to have an internal client talk to an internal server via router nat.  The reason is that when inside nat happens, a routing decision is made before the nat happens.  Thus it is already committing to sending it out the outside interface.  Of course then it doesn't really have anywhere to send it since it can't take it back in.  So it gets dropped.

the new way involves taking packets into the router and using nat that will actually forward packets to an NVI, NAT Virtual Interface.  This solves the previous problem because a routing decision is made, then nat happens, then routing is done again.  This allows for a client to forward to the router and have the client be natted to an "outside" IP and then also have the "outside" server IP natted to the internal server and finally forwarded back out the inside interface because of the routing being relooked at after it comes out of the NVI interface which is after all natting happens.

hope that explains it.  with that said, this is kind of a big change to the way you're doing NAT so make sure to backup your entire config and to have local (or even console access) to the router just in case things go wrong.  They shouldn't but lets face it, in IT, nothing is guaranteed and theory doesn't always meet reality so its best to play it safe.
0
 

Author Closing Comment

by:2knetworks
Comment Utility
very helpful and well put
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MPLS Network Question 2 31
sync conflicts 1 20
VMware NSX version 6.2.2 upgrade 6.2.4 6 47
EIGRP Full Mesh 2 31
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now