Cisco NAT doesn't appear to be working

fieryhail · 04-02-2009, 10:22 AM

I have a 3662 cisco router and I'm trying to access a mail server by hostname from outside the local network. I have ip nat setup properly i believe, yet i can not access my server on port 80. I looked in my router, but the whole NAT thing is still somewhat confusing. I've read lots of documentation on it but things still aren't quite working. I have a local machine on int 0/0 with private ip 192.168.1.11, i want to forward certain ports from the public IP to this server, port 80, 443, plus others. Any help is appreciated. I'll post my running-cnfig file here, maybe someone can tell me where I screwed up. Thanks again.
no aaa new-model
!
resource policy
!
!
!
ip cef table adjacency-prefix validate
ip cef
ip domain name rcserveny.com
ip name-server 167.206.112.138
ip name-server 167.206.7.4
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat allow-static-host
ip nat enable
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet0/1
ip address 96.56.78.172 255.255.255.248
ip nat outside
ip nat allow-static-host
ip nat enable
ip virtual-reassembly
speed auto
full-duplex
!
router rip
redistribute connected
network 96.0.0.0
network 192.168.1.0
!
ip default-gateway 96.56.78.169
no ip http server
!
ip route 0.0.0.0 0.0.0.0 96.56.78.169
!
ip nat log translations syslog
ip nat source static tcp 192.168.1.11 21 interface FastEthernet0/1 21
ip nat source static tcp 192.168.1.11 80 interface FastEthernet0/1 80
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.1 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.1 636 interface FastEthernet0/1 636
ip nat inside source static tcp 192.168.1.11 389 interface FastEthernet0/1 389
ip nat inside source static tcp 192.168.1.11 563 interface FastEthernet0/1 563
ip nat inside source static tcp 192.168.1.11 119 interface FastEthernet0/1 119
ip nat inside source static tcp 192.168.1.11 993 interface FastEthernet0/1 993
ip nat inside source static tcp 192.168.1.11 995 interface FastEthernet0/1 995
ip nat inside source static tcp 192.168.1.11 465 interface FastEthernet0/1 465
ip nat inside source static tcp 192.168.1.11 143 interface FastEthernet0/1 143
ip nat inside source static tcp 192.168.1.11 110 interface FastEthernet0/1 110
ip nat inside source static tcp 192.168.1.11 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.1.101 5900 interface FastEthernet0/1 420
ip nat inside source static tcp 192.168.1.12 22 interface FastEthernet0/1 22
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
control-plane
!
!
!
!
!
!
!
gateway
timer receive-rtp 1200
!
!
line con 0
line aux 0
line vty 0 4

asgley · 04-02-2009, 02:13 PM

Hi,
I'm by no means an expert on Cisco so forgive me if some of the things Isay sound a bit dumb.

It looks like youve set your network address wrong here though it probably wouldnt be the end of the world... depending on where your traffic is coming and going to i suppose.

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0

interface FastEthernet0/1
ip address 96.56.78.172 255.255.255.248

network 96. 0.0.0 (96.56.78.168)
network 192.168.1.0

-----------
It looks like you have duplicated a port 80 rule?
the port 21 rule and the port 80 rule here are in a different format to the rest of the rules which i find odd but perhaps you can explain that bit to me =)

ip nat source static tcp 192.168.1.11 21 interface FastEthernet0/1 21
ip nat source static tcp 192.168.1.11 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet0/1 80

-----------
As this is an e-mail issue you should check your mx records are set correctly, then check your dns resolves to the correct ip, then check you can connect to your mail server internally, make sure your server accepts connections from anywhere on the ports you are hosting stuff on.
Use an external server to telnet to your ports and check it establishes and gives good output.

I hope this was some help.

Asg

fieryhail · 04-02-2009, 02:20 PM

Thanks for your reply, I'm very new to this also so my config file is not one for "production use". I'm in the learning phase. I already removed the duplicate port 80 and 21 rules, the reason for the different format was I wasn't sure which was correct, but neither way seems to work. Yes, my MX records are correct, I can send and recieve email to and from the internet, as long as I'm accessing my mailserver from a machine behind my LAN (the 192.168.1.0 network). By the way, you are correct, my IP is incorrect I am changing it to 96.56.78.168 as you pointed out (don't know how I missed that, but everything was working from the inside out anyway). Any ideas are welcome. If I have to do a teardown and redo I'm open to that at this point also. I need to understand what's going on. This is how I learn. Thanks for the help.

fieryhail · 04-02-2009, 02:26 PM

Do I need some other type of access-list to permit incoming connections to my LAN? I'm confused. PS, I can NOT telnet in from the internet. Something appears to be stopping access inbound. There is nothing stopping traffic (i.e firewall etc) coming into the public IP interface on the cisco, I'm trying to keep this as simple as possible to understand it.

asgley · 04-02-2009, 05:44 PM

Hi,

I dont think you need either of these for what i believe your trying to do.

ip nat allow-static-host
ip nat enable

are you using a complex network design where you have multiple routers?
if not i doubt you need to worry about
router rip
or
redistribute connected

I dont see any other reference to this, any reason for having it?
dialer-list 1 protocol ip permit

I think taking out the rip and the other one may help with your problem.

To go much further were going to have to get more specific and im going to need to know your domain the MX is using and attempt to make a connection etc... obviously in a work enviroment this sort of testing (probing) is not acceptable from an unknown entity like myself so i doubt i can be much more help.

I've had issues in the past with my cisco routers, they are doing a failrly basic job but a reset on them and only config the absolute basics can often help.
get the ip's set
enable routing
set gateway
add access list
set virtual reassembly
set inside and outside on your interfaces
config nat to allow host to connect out
test
config nat to allow port to forward in
test and repeat.

one thing i found useful is using seperate access lists for different ip's, it makes "show access-list" show the number of matches the list has had based on the rules using it etc.
I havent ever needed to test it but i cant see a reason why you couldnt set two different access lists up for the same ip and use one for connections out and one for conenctions in...

anyway im just rambling now.

let me know how you get on

Asg

asgley · 04-02-2009, 05:52 PM

Just a fyi
ip nat inside source static tcp 192.168.1.1 636 interface FastEthernet0/1 636
ip nat inside source static tcp 192.168.1.11 389 interface FastEthernet0/1 389
ip nat inside source static tcp 192.168.1.1 443 interface FastEthernet0/1 443
its probably a good idea to close these

ip nat inside source static tcp 192.168.1.101 5900 interface FastEthernet0/1 420
btw now we all know your remote access app, change the port =)

Asg

04-02-2009, 10:22 AM	#1 (permalink)
fieryhail Registered User Join Date: Mar 2009 Location: New York Posts: 4 OS: OS X Leopard, XP Pro SP2(VM), CentOS 5.2 (VM), OpenSolaris 11.1 (VM)	Cisco NAT doesn't appear to be working I have a 3662 cisco router and I'm trying to access a mail server by hostname from outside the local network. I have ip nat setup properly i believe, yet i can not access my server on port 80. I looked in my router, but the whole NAT thing is still somewhat confusing. I've read lots of documentation on it but things still aren't quite working. I have a local machine on int 0/0 with private ip 192.168.1.11, i want to forward certain ports from the public IP to this server, port 80, 443, plus others. Any help is appreciated. I'll post my running-cnfig file here, maybe someone can tell me where I screwed up. Thanks again. no aaa new-model ! resource policy ! ! ! ip cef table adjacency-prefix validate ip cef ip domain name rcserveny.com ip name-server 167.206.112.138 ip name-server 167.206.7.4 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip nat allow-static-host ip nat enable ip virtual-reassembly speed auto full-duplex ! interface FastEthernet0/1 ip address 96.56.78.172 255.255.255.248 ip nat outside ip nat allow-static-host ip nat enable ip virtual-reassembly speed auto full-duplex ! router rip redistribute connected network 96.0.0.0 network 192.168.1.0 ! ip default-gateway 96.56.78.169 no ip http server ! ip route 0.0.0.0 0.0.0.0 96.56.78.169 ! ip nat log translations syslog ip nat source static tcp 192.168.1.11 21 interface FastEthernet0/1 21 ip nat source static tcp 192.168.1.11 80 interface FastEthernet0/1 80 ip nat inside source list 1 interface FastEthernet0/1 overload ip nat inside source static tcp 192.168.1.1 443 interface FastEthernet0/1 443 ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet0/1 80 ip nat inside source static tcp 192.168.1.1 636 interface FastEthernet0/1 636 ip nat inside source static tcp 192.168.1.11 389 interface FastEthernet0/1 389 ip nat inside source static tcp 192.168.1.11 563 interface FastEthernet0/1 563 ip nat inside source static tcp 192.168.1.11 119 interface FastEthernet0/1 119 ip nat inside source static tcp 192.168.1.11 993 interface FastEthernet0/1 993 ip nat inside source static tcp 192.168.1.11 995 interface FastEthernet0/1 995 ip nat inside source static tcp 192.168.1.11 465 interface FastEthernet0/1 465 ip nat inside source static tcp 192.168.1.11 143 interface FastEthernet0/1 143 ip nat inside source static tcp 192.168.1.11 110 interface FastEthernet0/1 110 ip nat inside source static tcp 192.168.1.11 25 interface FastEthernet0/1 25 ip nat inside source static tcp 192.168.1.101 5900 interface FastEthernet0/1 420 ip nat inside source static tcp 192.168.1.12 22 interface FastEthernet0/1 22 ! access-list 1 permit 192.168.1.0 0.0.0.255 dialer-list 1 protocol ip permit snmp-server community public RO ! ! ! control-plane ! ! ! ! ! ! ! gateway timer receive-rtp 1200 ! ! line con 0 line aux 0 line vty 0 4

04-02-2009, 02:13 PM	#2 (permalink)
asgley Registered User Join Date: Feb 2009 Posts: 105 OS: xp32, vista64, gentoo, rhle4, rhel 5 64, centos 64, debian, solaris, 2k3, 2k8	Re: Cisco NAT doesn't appear to be working Hi, I'm by no means an expert on Cisco so forgive me if some of the things Isay sound a bit dumb. It looks like youve set your network address wrong here though it probably wouldnt be the end of the world... depending on where your traffic is coming and going to i suppose. interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 interface FastEthernet0/1 ip address 96.56.78.172 255.255.255.248 network 96. 0.0.0 (96.56.78.168) network 192.168.1.0 ----------- It looks like you have duplicated a port 80 rule? the port 21 rule and the port 80 rule here are in a different format to the rest of the rules which i find odd but perhaps you can explain that bit to me =) ip nat source static tcp 192.168.1.11 21 interface FastEthernet0/1 21 ip nat source static tcp 192.168.1.11 80 interface FastEthernet0/1 80 ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet0/1 80 ----------- As this is an e-mail issue you should check your mx records are set correctly, then check your dns resolves to the correct ip, then check you can connect to your mail server internally, make sure your server accepts connections from anywhere on the ports you are hosting stuff on. Use an external server to telnet to your ports and check it establishes and gives good output. I hope this was some help. Asg

04-02-2009, 02:20 PM	#3 (permalink)
fieryhail Registered User Join Date: Mar 2009 Location: New York Posts: 4 OS: OS X Leopard, XP Pro SP2(VM), CentOS 5.2 (VM), OpenSolaris 11.1 (VM)	Re: Cisco NAT doesn't appear to be working Thanks for your reply, I'm very new to this also so my config file is not one for "production use". I'm in the learning phase. I already removed the duplicate port 80 and 21 rules, the reason for the different format was I wasn't sure which was correct, but neither way seems to work. Yes, my MX records are correct, I can send and recieve email to and from the internet, as long as I'm accessing my mailserver from a machine behind my LAN (the 192.168.1.0 network). By the way, you are correct, my IP is incorrect I am changing it to 96.56.78.168 as you pointed out (don't know how I missed that, but everything was working from the inside out anyway). Any ideas are welcome. If I have to do a teardown and redo I'm open to that at this point also. I need to understand what's going on. This is how I learn. Thanks for the help.

04-02-2009, 02:26 PM	#4 (permalink)
fieryhail Registered User Join Date: Mar 2009 Location: New York Posts: 4 OS: OS X Leopard, XP Pro SP2(VM), CentOS 5.2 (VM), OpenSolaris 11.1 (VM)	Re: Cisco NAT doesn't appear to be working Do I need some other type of access-list to permit incoming connections to my LAN? I'm confused. PS, I can NOT telnet in from the internet. Something appears to be stopping access inbound. There is nothing stopping traffic (i.e firewall etc) coming into the public IP interface on the cisco, I'm trying to keep this as simple as possible to understand it.

04-02-2009, 05:44 PM	#5 (permalink)
asgley Registered User Join Date: Feb 2009 Posts: 105 OS: xp32, vista64, gentoo, rhle4, rhel 5 64, centos 64, debian, solaris, 2k3, 2k8	Re: Cisco NAT doesn't appear to be working Hi, I dont think you need either of these for what i believe your trying to do. ip nat allow-static-host ip nat enable are you using a complex network design where you have multiple routers? if not i doubt you need to worry about router rip or redistribute connected I dont see any other reference to this, any reason for having it? dialer-list 1 protocol ip permit I think taking out the rip and the other one may help with your problem. To go much further were going to have to get more specific and im going to need to know your domain the MX is using and attempt to make a connection etc... obviously in a work enviroment this sort of testing (probing) is not acceptable from an unknown entity like myself so i doubt i can be much more help. I've had issues in the past with my cisco routers, they are doing a failrly basic job but a reset on them and only config the absolute basics can often help. get the ip's set enable routing set gateway add access list set virtual reassembly set inside and outside on your interfaces config nat to allow host to connect out test config nat to allow port to forward in test and repeat. one thing i found useful is using seperate access lists for different ip's, it makes "show access-list" show the number of matches the list has had based on the rules using it etc. I havent ever needed to test it but i cant see a reason why you couldnt set two different access lists up for the same ip and use one for connections out and one for conenctions in... anyway im just rambling now. let me know how you get on Asg

04-02-2009, 05:52 PM	#6 (permalink)
asgley Registered User Join Date: Feb 2009 Posts: 105 OS: xp32, vista64, gentoo, rhle4, rhel 5 64, centos 64, debian, solaris, 2k3, 2k8	Re: Cisco NAT doesn't appear to be working Just a fyi ip nat inside source static tcp 192.168.1.1 636 interface FastEthernet0/1 636 ip nat inside source static tcp 192.168.1.11 389 interface FastEthernet0/1 389 ip nat inside source static tcp 192.168.1.1 443 interface FastEthernet0/1 443 its probably a good idea to close these ip nat inside source static tcp 192.168.1.101 5900 interface FastEthernet0/1 420 btw now we all know your remote access app, change the port =) Asg