David_Blumberg
asked on
Cisco IP NAT Translation not working
We are trying to connect externally to servers and the network translation is not working:
Cisco 4000 Series route
sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 174.77.80.xx:8001 192.168.2.45:8001 --- ---
tcp 174.77.80.xx:4550 192.168.2.52:4550 --- ---
tcp 174.77.80.xx:8003 192.168.2.47:8003 --- ---
Config
ip nat inside source static tcp 192.168.2.52 4550 174.77.80.xx 4550 extendable
ip nat inside source static tcp 192.168.2.45 8001 174.77.80.xx 8001 extendable
ip nat inside source static tcp 192.168.2.46 8002 174.77.80.xx 8002 extendable
ip nat inside source static tcp 192.168.2.47 8003 174.77.80.xx 8003
ip access-list extended server1
permit ip any host 192.168.2.45
ip access-list extended server2
permit ip any host 192.168.2.46
ip access-list extended server3
permit ip any host 192.168.2.47
access-list 127 permit tcp any host 174.77.80.xx eq 8001
access-list 127 permit tcp any host 174.77.80.xx eq 8002
access-list 127 permit tcp any host 174.77.80.xx eq 8003
access-list 127 permit tcp any host 174.77.80.xx eq 4005
access-list 127 permit tcp any host 174.77.80.xx eq 4550
Any thoughts? I can ping the local ip addresses from the router.
Cisco 4000 Series route
sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 174.77.80.xx:8001 192.168.2.45:8001 --- ---
tcp 174.77.80.xx:4550 192.168.2.52:4550 --- ---
tcp 174.77.80.xx:8003 192.168.2.47:8003 --- ---
Config
ip nat inside source static tcp 192.168.2.52 4550 174.77.80.xx 4550 extendable
ip nat inside source static tcp 192.168.2.45 8001 174.77.80.xx 8001 extendable
ip nat inside source static tcp 192.168.2.46 8002 174.77.80.xx 8002 extendable
ip nat inside source static tcp 192.168.2.47 8003 174.77.80.xx 8003
ip access-list extended server1
permit ip any host 192.168.2.45
ip access-list extended server2
permit ip any host 192.168.2.46
ip access-list extended server3
permit ip any host 192.168.2.47
access-list 127 permit tcp any host 174.77.80.xx eq 8001
access-list 127 permit tcp any host 174.77.80.xx eq 8002
access-list 127 permit tcp any host 174.77.80.xx eq 8003
access-list 127 permit tcp any host 174.77.80.xx eq 4005
access-list 127 permit tcp any host 174.77.80.xx eq 4550
Any thoughts? I can ping the local ip addresses from the router.
ASKER
No luck
can you post results of "sh ip route"
also your wan interface does it have "ip nat outside"?
is possible for you to post your config?
also your wan interface does it have "ip nat outside"?
is possible for you to post your config?
Where are those ACLs applied?
Your NAT looks good. You don't really need keyword extendable if you are doing static PAT.
Post config?
Your NAT looks good. You don't really need keyword extendable if you are doing static PAT.
Post config?
ASKER
Here is sh ip route and config for external port
RTR#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 174.77.80.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 174.77.80.xx
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/30 is directly connected, Loopback1
L 10.10.10.1/32 is directly connected, Loopback1
174.77.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 174.77.80.xx/28 is directly connected, GigabitEthernet0/0/0
L 174.77.80.xx/32 is directly connected, GigabitEthernet0/0/0
L 174.77.80.xx/32 is directly connected, GigabitEthernet0/0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0/1.300
L 192.168.1.1/32 is directly connected, GigabitEthernet0/0/1.300
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/0/1.1
L 192.168.2.1/32 is directly connected, GigabitEthernet0/0/1.1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/0/1.100
L 192.168.10.1/32 is directly connected, GigabitEthernet0/0/1.100
192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.15.0/24 is directly connected, GigabitEthernet0/0/1.150
L 192.168.15.1/32 is directly connected, GigabitEthernet0/0/1.150
RTR#sh run int g0/0/0
Building configuration...
Current configuration : 238 bytes
!
interface GigabitEthernet0/0/0
ip address 174.77.80.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security internet
negotiation auto
no cdp enable
ip virtual-reassembly
end
RTR#
I have also enclosed the config
rtrconfig.txt
RTR#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 174.77.80.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 174.77.80.xx
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/30 is directly connected, Loopback1
L 10.10.10.1/32 is directly connected, Loopback1
174.77.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 174.77.80.xx/28 is directly connected, GigabitEthernet0/0/0
L 174.77.80.xx/32 is directly connected, GigabitEthernet0/0/0
L 174.77.80.xx/32 is directly connected, GigabitEthernet0/0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0/1.300
L 192.168.1.1/32 is directly connected, GigabitEthernet0/0/1.300
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/0/1.1
L 192.168.2.1/32 is directly connected, GigabitEthernet0/0/1.1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/0/1.100
L 192.168.10.1/32 is directly connected, GigabitEthernet0/0/1.100
192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.15.0/24 is directly connected, GigabitEthernet0/0/1.150
L 192.168.15.1/32 is directly connected, GigabitEthernet0/0/1.150
RTR#sh run int g0/0/0
Building configuration...
Current configuration : 238 bytes
!
interface GigabitEthernet0/0/0
ip address 174.77.80.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security internet
negotiation auto
no cdp enable
ip virtual-reassembly
end
RTR#
I have also enclosed the config
rtrconfig.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah we have used some of the config, we switched the ACL to local and and it is working. Thank you both
Glad it's working. If you want t clean some stuff up you can also get rid of
zone security LAN
zone security WAN
they aren't being applied to anything and because your using
zone security lan
zone security internet
for ZBFW
zone security LAN
zone security WAN
they aren't being applied to anything and because your using
zone security lan
zone security internet
for ZBFW
ip access-list extended server1
permit ip 192.168.2.45 0.0.0.255 any
ect...
Edit: You could probably add all three under one access-list but not seeing your entire config I can't say that for sure