RE: Static NAT

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Dec 16 2005 - 17:34:48 GMT-3

• Next message: Koen Peetermans: "RE: WAY OT: What would you do?"
• Previous message: CCIEin2006: "Re: OT - Good Intro to MPLS book"
• Maybe in reply to: cejackson1@comcast.net: "Static NAT"
• Next in thread: cejackson1@comcast.net: "RE: Static NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        Is that the right subnet mask on your point-to-point link? Your NAT pool is outside that subnet, are you sure the remote devices have a route back to the network you are translating to? Also the addresses 70.232.137.179 and 70.232.137.180 technically aren't valid because they are the directed broadcast address and network address for the networks 70.232.137.176/30 and 70.232.137.180/30 respectively. It's possible the NAT process is discarding traffic to them for this reason, but I'm not sure. Why don't you just have all three of the static translations point to .178?

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

________________________________________
From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
Sent: Friday, December 16, 2005 2:12 PM
To: Brian McGahan; ccielab@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: RE: Static NAT

 
interface FastEthernet0
 description TO LOCAL LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
!
interface Serial0
   no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0.642 point-to-point
 ip address 70.255.44.178 255.255.255.252
 ip nat outside
 frame-relay interface-dlci 667 IETF
!
ip nat pool paauto 70.232.137.181 70.232.137.190 netmask 255.255.255.240
ip nat inside source list 121 pool paauto overload
ip nat inside source static tcp 192.168.1.98 5901 70.232.137.179 5901 extendable
ip nat inside source static tcp 192.168.1.99 5900 70.232.137.180 5900 extendable
ip nat inside source static tcp 192.168.1.15 80 70.232.137.178 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 70.255.44.177
ip http server
!
access-list 121 permit ip 192.168.1.0 0.0.0.255 any
 
 
 
-------------- Original message --------------
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>

> Do you have any access-list config? Post the entire router config excluding any
> sensitive info.
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
> ________________________________________
> From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
> Sent: Friday, December 16, 2005 1:35 PM
> To: Brian McGahan; ccielab@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: RE: Static NAT
>
>
> yeh, i had looked at that earlier and no response.
>
> One thing from customer LAN on 192.168.1.0 network he can connect to the
> 192.168.1.15..
>
> cecil
>
> -------------- Original message --------------
> From: "Brian McGahan"
>
> > Traceroute is not a good indication as it is (usually) UDP based. Telnet to
> > 70.232.137.178 at port 80, 70.232.137.180 at port 5900, and 70.232.137.179 at
> > port 5901 and see if you get an open connection.
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> > ________________________________________
> > From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
> > Sent: Friday, December 16, 2005 1:14 PM
> > To: Brian McGahan; ccielab@groupstudy.com
> > Cc: ccielab@groupstudy.com
> > Subject: RE: Static NAT
> >
> > when I traceroute from outside, the trace stops on the routes.
> >
> > Sometimes the translations does show the translations.
> >
> > Customer these devices behind a DMZ at some of his other locations, should
> these
> > ips behind DMS on this router. it is a cisco 1721
> >
> >
> > tcp 70.232.137.178:80 192.168.1.15:80 68.90.107.195:1241 68.90.107.195:1241
> >
> > -------------- Original message --------------
> > From: "Brian McGahan"
> >
> > > What's the problem then? These are your static entries:
> > >
> > > Pro Inside global Inside local Outside local Outside global
> > > tcp 70.232.137.178:80 192.168.1.15:80 --- ---
> > > tcp 70.232.137.180:5900 192.168.1.99:5900 --- ---
> > > tcp 70.232.137.179:5901 192.168.1.98:5901 --- ---
> > >
> > > Have you tried to reach these hosts from the outside?
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987 x 705
> > > Outside US: 775-826-4344 x 705
> > > 24/7 Support: http://forum.internetworkexpert.com
> > > Live Chat: http://www.internetworkexpert.com/chat/
> > >
> > > ________________________________________
> > > From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
> > > Sent: Friday, December 16, 2005 12:35 PM
> > > To: Brian McGahan; ccielab@groupstudy.com
> > > Cc: ccielab@groupstudy.com
> > > Subject: RE: Static NAT
> > >
> > >
> > >
> > > abscom64#sh ip nat translations
> > > Pro Inside global Inside local Outside local Outside global
> > > udp 70.232.137.183:1028 192.168.1.84:1028 216.133.229.54:3527
> > 216.133.229.54:352
> > > 7
> > > tcp 70.232.137.183:1075 192.168.1.84:1075 216.133.229.54:1433
> > 216.133.229.54:143
> > > 3
> > > tcp 70.232.137.178:80 192.168.1.15:80 --- ---
> > > tcp 70.232.137.183:1047 192.168.1.84:1047 65.169.19.139:80 65.169.19.139:80
> > > tcp 70.232.137.183:1500 192.168.1.84:1500 216.133.229.54:1801
> > 216.133.229.54:180
> > > 1
> > > tcp 70.232.137.183:1502 192.168.1.84:1502 216.133.229.54:1801
> > 216.133.229.54:180
> > > 1
> > > udp 70.232.137.183:1028 192.168.1.84:1028 64.42.224.193:3527
> > 64.42.224.193:3527
> > > tcp 70.232.137.183:1499 192.168.1.84:1499 64.42.224.193:1801
> > 64.42.224.193:1801
> > > tcp 70.232.137.183:1501 192.168.1.84:1501 64.42.224.193:1801
> > 64.42.224.193:1801
> > > tcp 70.232.137.183:1503 192.168.1.84:1503 64.42.224.193:1801
> > 64.42.224.193:1801
> > > tcp 70.232.137.180:5900 192.168.1.99:5900 --- ---
> > > tcp 70.232.137.179:5901 192.168.1.98:5901 --- ---
> > > abscom64#
> > >
> > > -------------- Original message --------------
> > > From: "Brian McGahan"
> > >
> > > > You can do both at the same time. Post the "show ip nat translations"
> > > > output.
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987 x 705
> > > > Outside US: 775-826-4344 x 705
> > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > > Of
> > > > > cejackson1@comcast.net
> > > > > Sent: Friday, December 16, 2005 12:17 PM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Static NAT
> > > > >
> > > > > if i have the inside nat statement on e0/0 and out side on s0/0
> > > > >
> > > > > the nat pool is working but the static entries are not?
> > > > >
> > > > > suggestion
> > > > >
> > > > >
> > > > > ip nat pool paauto 70.232.137.181 70.232.137.190 netmask
> > > > 255.255.255.240
> > > > > ip nat inside source list 121 pool paauto overload
> > > > >
> > > > > ip nat inside source static tcp 192.168.1.98 5901 70.232.137.179 5901
> > > > > extendable
> > > > > ip nat inside source static tcp 192.168.1.99 5900 70.232.137.180 5900
> > > > > extendable
> > > > > ip nat inside source static tcp 192.168.1.15 80 70.232.137.178 80
> > > > > extendable
> > > > >
> > > > > ip classless
> > > > > ip route 0.0.0.0 0.0.0.0 70.255.44.177
> > > > > ip http server
> > > > > !
> > > > > access-list 121 permit ip 192.168.1.0 0.0.0.255 any
> > > > > !
> > > > >
> > > > >
> > > > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html

• Next message: Koen Peetermans: "RE: WAY OT: What would you do?"
• Previous message: CCIEin2006: "Re: OT - Good Intro to MPLS book"
• Maybe in reply to: cejackson1@comcast.net: "Static NAT"
• Next in thread: cejackson1@comcast.net: "RE: Static NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3