RE: Static NAT

From: cejackson1@comcast.net
Date: Fri Dec 16 2005 - 18:23:09 GMT-3

• Next message: CCIEin2006: "Re: OT - Good Intro to MPLS book"
• Previous message: Koen Peetermans: "RE: Question about the IE Lab Setup"
• Maybe in reply to: cejackson1@comcast.net: "Static NAT"
• Next in thread: Ed Lui: "Re: Static NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

i tried making the changes that you suggested but no change. Odd thing that yesterday when i first set this up it worked.

Here is the output from debug ip nat detal while trying to connect from internet on ip 178.
When you try to connect to the internet to 70.232.137.178 nat trans shows:
tcp 70.232.137.178:80 192.168.1.15:80 68.90.107.195:4951 68.90.107.195:4951
tcp 70.232.137.178:80 192.168.1.15:80 68.90.107.195:4971 68.90.107.195:4971
When I turn debug on and try to connect to internet to ip 70.232.137.178

abscom64#debug ip nat detailed
IP NAT detailed debugging is on
abscom64#
*Mar 1 03:19:30.111: NAT: o: tcp (68.90.107.195, 1233) -> (70.232.137.178, 80)
[6040]
*Mar 1 03:19:30.111: NAT: s=68.90.107.195, d=70.232.137.178->192.168.1.15 [6040
]
*Mar 1 03:19:33.055: NAT: o: tcp (68.90.107.195, 1233) -> (70.232.137.178, 80)
[6043]
*Mar 1 03:19:33.059: NAT: s=68.90.107.195, d=70.232.137.178->192.168.1.15 [6043
]
*Mar 1 03:19:39.091: NAT: o: tcp (68.90.107.195, 1233) -> (70.232.137.178, 80)
[6046]
*Mar 1 03:19:39.091: NAT: s=68.90.107.195, d=70.232.137.178->192.168.1.15 [6046
]
*Mar 1 03:19:40.635: NAT: o: tcp (68.90.107.195, 1234) -> (70.232.137.178, 80)
[6049]
*Mar 1 03:19:40.635: NAT: s=68.90.107.195, d=70.232.137.178->192.168.1.15 [6049
]
*Mar 1 03:19:43.619: NAT: o: tcp (68.90.107.195, 1234) -> (70.232.137.178, 80)
[6056]
*Mar 1 03:19:43.619: NAT: s=68.90.107.195, d=70.232.137.178->192.168.1.15 [6056
]
-------------- Original message --------------
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>

> Is that the right subnet mask on your point-to-point link? Your NAT
> pool is outside that subnet, are you sure the remote devices have a route back
> to the network you are translating to? Also the addresses 70.232.137.179 and
> 70.232.137.180 technically aren't valid because they are the directed broadcast
> address and network address for the networks 70.232.137.176/30 and
> 70.232.137.180/30 respectively. It's possible the NAT process is discarding
> traffic to them for this reason, but I'm not sure. Why don't you just have all
> three of the static translations point to .178?
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
> ________________________________________
> From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
> Sent: Friday, December 16, 2005 2:12 PM
> To: Brian McGahan; ccielab@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: RE: Static NAT
>
>
> interface FastEthernet0
> description TO LOCAL LAN
> ip address 192.168.1.1 255.255.255.0
> ip nat inside
> speed auto
> !
> interface Serial0
> no ip address
> encapsulation frame-relay IETF
> no fair-queue
> service-module t1 timeslots 1-24
> frame-relay lmi-type ansi
> !
> interface Serial0.642 point-to-point
> ip address 70.255.44.178 255.255.255.252
> ip nat outside
> frame-relay interface-dlci 667 IETF
> !
> ip nat pool paauto 70.232.137.181 70.232.137.190 netmask 255.255.255.240
> ip nat inside source list 121 pool paauto overload
> ip nat inside source static tcp 192.168.1.98 5901 70.232.137.179 5901 extendable
> ip nat inside source static tcp 192.168.1.99 5900 70.232.137.180 5900 extendable
> ip nat inside source static tcp 192.168.1.15 80 70.232.137.178 80 extendable
> ip classless
> ip route 0.0.0.0 0.0.0.0 70.255.44.177
> ip http server
> !
> access-list 121 permit ip 192.168.1.0 0.0.0.255 any
>
>
>
> -------------- Original message --------------
> From: "Brian McGahan"
>
> > Do you have any access-list config? Post the entire router config excluding
> any
> > sensitive info.
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> > ________________________________________
> > From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
> > Sent: Friday, December 16, 2005 1:35 PM
> > To: Brian McGahan; ccielab@groupstudy.com
> > Cc: ccielab@groupstudy.com
> > Subject: RE: Static NAT
> >
> >
> > yeh, i had looked at that earlier and no response.
> >
> > One thing from customer LAN on 192.168.1.0 network he can connect to the
> > 192.168.1.15..
> >
> > cecil
> >
> > -------------- Original message --------------
> > From: "Brian McGahan"
> >
> > > Traceroute is not a good indication as it is (usually) UDP based. Telnet to
> > > 70.232.137.178 at port 80, 70.232.137.180 at port 5900, and 70.232.137.179
> at
> > > port 5901 and see if you get an open connection.
> > >
> > >
> > > HTH,
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987 x 705
> > > Outside US: 775-826-4344 x 705
> > > 24/7 Support: http://forum.internetworkexpert.com
> > > Live Chat: http://www.internetworkexpert.com/chat/
> > >
> > > ________________________________________
> > > From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
> > > Sent: Friday, December 16, 2005 1:14 PM
> > > To: Brian McGahan; ccielab@groupstudy.com
> > > Cc: ccielab@groupstudy.com
> > > Subject: RE: Static NAT
> > >
> > > when I traceroute from outside, the trace stops on the routes.
> > >
> > > Sometimes the translations does show the translations.
> > >
> > > Customer these devices behind a DMZ at some of his other locations, should
> > these
> > > ips behind DMS on this router. it is a cisco 1721
> > >
> > >
> > > tcp 70.232.137.178:80 192.168.1.15:80 68.90.107.195:1241 68.90.107.195:1241
> > >
> > > -------------- Original message --------------
> > > From: "Brian McGahan"
> > >
> > > > What's the problem then? These are your static entries:
> > > >
> > > > Pro Inside global Inside local Outside local Outside global
> > > > tcp 70.232.137.178:80 192.168.1.15:80 --- ---
> > > > tcp 70.232.137.180:5900 192.168.1.99:5900 --- ---
> > > > tcp 70.232.137.179:5901 192.168.1.98:5901 --- ---
> > > >
> > > > Have you tried to reach these hosts from the outside?
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987 x 705
> > > > Outside US: 775-826-4344 x 705
> > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > >
> > > > ________________________________________
> > > > From: cejackson1@comcast.net [mailto:cejackson1@comcast.net]
> > > > Sent: Friday, December 16, 2005 12:35 PM
> > > > To: Brian McGahan; ccielab@groupstudy.com
> > > > Cc: ccielab@groupstudy.com
> > > > Subject: RE: Static NAT
> > > >
> > > >
> > > >
> > > > abscom64#sh ip nat translations
> > > > Pro Inside global Inside local Outside local Outside global
> > > > udp 70.232.137.183:1028 192.168.1.84:1028 216.133.229.54:3527
> > > 216.133.229.54:352
> > > > 7
> > > > tcp 70.232.137.183:1075 192.168.1.84:1075 216.133.229.54:1433
> > > 216.133.229.54:143
> > > > 3
> > > > tcp 70.232.137.178:80 192.168.1.15:80 --- ---
> > > > tcp 70.232.137.183:1047 192.168.1.84:1047 65.169.19.139:80
> 65.169.19.139:80
> > > > tcp 70.232.137.183:1500 192.168.1.84:1500 216.133.229.54:1801
> > > 216.133.229.54:180
> > > > 1
> > > > tcp 70.232.137.183:1502 192.168.1.84:1502 216.133.229.54:1801
> > > 216.133.229.54:180
> > > > 1
> > > > udp 70.232.137.183:1028 192.168.1.84:1028 64.42.224.193:3527
> > > 64.42.224.193:3527
> > > > tcp 70.232.137.183:1499 192.168.1.84:1499 64.42.224.193:1801
> > > 64.42.224.193:1801
> > > > tcp 70.232.137.183:1501 192.168.1.84:1501 64.42.224.193:1801
> > > 64.42.224.193:1801
> > > > tcp 70.232.137.183:1503 192.168.1.84:1503 64.42.224.193:1801
> > > 64.42.224.193:1801
> > > > tcp 70.232.137.180:5900 192.168.1.99:5900 --- ---
> > > > tcp 70.232.137.179:5901 192.168.1.98:5901 --- ---
> > > > abscom64#
> > > >
> > > > -------------- Original message --------------
> > > > From: "Brian McGahan"
> > > >
> > > > > You can do both at the same time. Post the "show ip nat translations"
> > > > > output.
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > > > Of
> > > > > > cejackson1@comcast.net
> > > > > > Sent: Friday, December 16, 2005 12:17 PM
> > > > > > To: ccielab@groupstudy.com
> > > > > > Subject: Static NAT
> > > > > >
> > > > > > if i have the inside nat statement on e0/0 and out side on s0/0
> > > > > >
> > > > > > the nat pool is working but the static entries are not?
> > > > > >
> > > > > > suggestion
> > > > > >
> > > > > >
> > > > > > ip nat pool paauto 70.232.137.181 70.232.137.190 netmask
> > > > > 255.255.255.240
> > > > > > ip nat inside source list 121 pool paauto overload
> > > > > >
> > > > > > ip nat inside source static tcp 192.168.1.98 5901 70.232.137.179 5901
> > > > > > extendable
> > > > > > ip nat inside source static tcp 192.168.1.99 5900 70.232.137.180 5900
> > > > > > extendable
> > > > > > ip nat inside source static tcp 192.168.1.15 80 70.232.137.178 80
> > > > > > extendable
> > > > > >
> > > > > > ip classless
> > > > > > ip route 0.0.0.0 0.0.0.0 70.255.44.177
> > > > > > ip http server
> > > > > > !
> > > > > > access-list 121 permit ip 192.168.1.0 0.0.0.255 any
> > > > > > !
> > > > > >
> > > > > >
> > > > > _______________________________________________________________________
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: CCIEin2006: "Re: OT - Good Intro to MPLS book"
• Previous message: Koen Peetermans: "RE: Question about the IE Lab Setup"
• Maybe in reply to: cejackson1@comcast.net: "Static NAT"
• Next in thread: Ed Lui: "Re: Static NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3