zhrike
@NET.PH
| [HELP] Help with Cisco Nat
Hello Guys... Hope you can help me with this one...
I've been doing some search and test on my Cisco router but it doesnt seem to work... and i'm very exhausted at this one...
i have a server (Win Server 2003 SP2) which is running remote desktop, http server & ftp server. and it's ip address is 192.168.0.5. and i want it to be translated with 121.96.17.70 which i had purchased. but everytime i tried connecting it, it keeps getting errors like, cant connect to remote computer blah blah blah...
what could be wrong with this? and i even disabled firewall on it just to make sure, but nothing happened. hope somebody can help me with this.
here is my config
Building configuration...
Current configuration : 3318 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname U-MainRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 **********
enable password 7 **********
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.0 192.168.0.200
!
ip dhcp pool dhcp1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.2
dns-server 203.115.130.8 210.4.2.61
!
!
no ip ips deny-action ips-interface
ip domain name yourdomain.com
ip name-server 203.115.130.8
ip name-server 210.4.2.61
!
!
!
!
username test privilege 15 password 7 **********
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface-Facing-Users
ip address 192.168.0.2 255.255.255.0 secondary
ip address 121.96.27.109 255.255.255.192 secondary
ip address 121.96.17.5 255.255.255.192
ip access-group 50 out
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
interface Serial0/0/0
description Interface-Facing-ISP
ip address 202.78.78.204 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
description Interface-Facing-ISP
ip address 121.97.74.106 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
router rip
version 2
redistribute connected
network 121.0.0.0
network 192.168.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.5 21 121.96.17.70 21 extendable
ip nat inside source static tcp 192.168.0.5 80 121.96.17.70 80 extendable
ip nat inside source static tcp 192.168.0.5 3389 121.96.17.70 3389 extendable
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 50 deny 209.11.168.114 -- these are youtube's and
access-list 50 deny 209.11.168.115 and friendster addresses.
access-list 50 deny 209.11.168.112
access-list 50 deny 209.11.168.113
access-list 50 deny 209.11.168.118
access-list 50 deny 209.11.168.119
access-list 50 deny 209.11.168.116
access-list 50 deny 209.11.168.117
access-list 50 deny 209.11.168.122
access-list 50 deny 209.11.168.123
access-list 50 deny 209.11.168.120
access-list 50 deny 209.11.168.121
access-list 50 deny 208.117.236.69
access-list 50 deny 209.11.168.126
access-list 50 deny 209.11.168.127
access-list 50 deny 209.11.168.124
access-list 50 deny 209.11.168.125
access-list 50 deny 209.11.168.110
access-list 50 deny 209.11.168.111
access-list 50 deny 208.65.153.238
access-list 50 deny 209.11.168.130
access-list 50 deny 209.11.168.128
access-list 50 deny 208.65.153.250
access-list 50 deny 208.65.153.251
access-list 50 deny 209.11.168.129
access-list 50 deny 208.65.153.252
access-list 50 deny 208.65.153.253
access-list 50 deny 208.65.153.254
access-list 50 deny 208.65.153.255
access-list 50 permit any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 180 0
privilege level 15
password 7 **********
login local
transport input telnet
!
end
waiting for your reply... thanks |
|
aryoba
Premium,MVM
join:2002-08-22
| My guess is that one of the problem is the following configuration.
interface FastEthernet0/1
description Interface-Facing-Users
ip address 192.168.0.2 255.255.255.0 secondary
ip address 121.96.27.109 255.255.255.192 secondary
ip address 121.96.17.5 255.255.255.192
ip access-group 50 out
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
Another problem is the following
ip nat inside source list 1 interface FastEthernet0/1 overload
However the biggest problem is probably the network design itself.
One way to solve is to setup a new Private IP Subnet (i.e. 172.16.0.0/24) under the FastEthernet0/0 interface as the server subnet. This server subnet then has NAT association with the 121.96.17.0/26. You can keep the 192.168.0.0/24 subnet to associate only with the 121.96.27.0/26 subnet. |
|
zhrike
@NET.PH
| Actually this is the setup of my router. I've changed my IP for some reason.
===========================================================================
interface FastEthernet0/0
description Interface-Facing-Servers
no ip address
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface-Facing-Users
ip address 192.168.0.2 255.255.255.0 secondary
ip address 121.96.27.129 255.255.255.192 secondary
ip address 121.96.17.65 255.255.255.192
ip access-group 50 out
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
interface Serial0/0/0
description Interface-Facing-Bayantel
ip address 202.78.78.254 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
description Interface-Facing-Bayantel
ip address 121.97.74.126 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
===========================================================================
i've tried staticly puting the server as 172.16.0.5 but it cant communicate through other Lan PC's. i want to setup the server to be able to communicate locally and globally. |
|
aryoba
Premium,MVM
join:2002-08-22
| Where is the 172.16.0.5 IP address terminated or defined? Should the FastEthernet0/0 interface IP address be 172.16.0.1/24 or something?
From your configuration, I don't see the 172.16.0.5 IP address defined or terminated anywhere. If the router can't see the IP address on its routing table, then yes as you realize already there will be communication problem with other machines. |
|
zhrike
@NET.PH
| Okay i'll gonna specify each machine configurations in details...
Server Setup
OS : Windows Server 2003 SP2 R2
AD/DC : No
DNS : No
DHCP : No
FTP : Yes
WWW : Yes
RDC : Yes
IP : 192.168.0.5
Subnet : 255.255.255.0
Gateway: 192.168.0.2
Workstations Setup
OS : Windows XP Professional SP2
IP : 192.168.0.50 - 192.168.0.100
Subnet : 255.255.255.0
Gateway: 192.168.0.2
Router Setup
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 *****
enable password 7 *****
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.0 192.168.0.200
!
ip dhcp pool dhcp1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.2
dns-server 203.115.130.8 210.4.2.61
!
!
no ip ips deny-action ips-interface
ip domain name *****.com
ip name-server 203.115.130.8
ip name-server 210.4.2.61
!
!
!
!
username ***** privilege 15 password 7 *****
!
!
!
!
!
interface FastEthernet0/0
description Interface-Facing-Servers
no ip address
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface-Facing-Users
ip address 192.168.0.2 255.255.255.0 secondary
ip address 121.96.27.129 255.255.255.192 secondary
ip address 121.96.17.65 255.255.255.192
ip access-group 50 out
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no mop enabled
!
interface Serial0/0/0
description Interface-Facing-ISP
ip address 202.78.78.254 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
description Interface-Facing-ISP
ip address 121.97.74.126 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 50 deny 209.11.168.114
access-list 50 deny 209.11.168.115
access-list 50 deny 209.11.168.112
access-list 50 deny 209.11.168.113
access-list 50 deny 209.11.168.118
access-list 50 deny 68.142.214.24
access-list 50 deny 209.11.168.119
access-list 50 deny 209.11.168.116
access-list 50 deny 209.11.168.117
access-list 50 deny 209.11.168.122
access-list 50 deny 209.11.168.123
access-list 50 deny 209.11.168.120
access-list 50 deny 209.11.168.121
access-list 50 deny 208.117.236.69
access-list 50 deny 209.11.168.126
access-list 50 deny 209.11.168.127
access-list 50 deny 209.11.168.124
access-list 50 deny 209.11.168.125
access-list 50 deny 209.11.168.110
access-list 50 deny 209.11.168.111
access-list 50 deny 216.178.38.104
access-list 50 deny 69.63.176.140
access-list 50 deny 209.17.70.11
access-list 50 deny 202.78.87.74
access-list 50 deny 212.187.229.17
access-list 50 deny 64.154.80.72
access-list 50 deny 69.63.178.11
access-list 50 deny 66.246.179.202
access-list 50 deny 216.178.38.131
access-list 50 deny 208.65.153.238
access-list 50 deny 209.11.168.130
access-list 50 deny 209.11.168.128
access-list 50 deny 208.65.153.250
access-list 50 deny 208.65.153.251
access-list 50 deny 209.11.168.129
access-list 50 deny 208.65.153.252
access-list 50 deny 208.65.153.253
access-list 50 deny 208.65.153.254
access-list 50 deny 208.65.153.255
access-list 50 deny 64.56.205.72
access-list 50 permit any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 180 0
privilege level 15
password 7 *****
login local
transport input telnet
!
end
===========================================================
The Server is on the same network block as the workstations and all of 192.168 ip's are being translated into 121.96.17.65 ip. but i want the Server to have it's own translated address like 121.96.17.66 which we had purchased, but everytime i translated it, i can't connect to it.
ip nat inside source tcp 192.168.0.5 3389 121.96.17.66 3389 // for Remote Desktop Connection
ip nat inside source tcp 192.168.0.5 80 121.96.17.66 80 // for HTTP Server
ip nat inside source tcp 192.168.0.5 21 121.96.17.66 21 // for FTP Server
I haven't got nothing on those commands. Was I forgotten something? can you help me on this? |
|
aryoba
Premium,MVM
join:2002-08-22
| I notice there are some changes on your router configuration. Original post contains 121.96.27.64/26 and 121.96.17.0/26 subnets as the LANs; and 202.78.78.204/30 and 121.97.74.104/30 subnets as the WANs. But then on later router configuration, there are 121.96.27.128/26 and 121.96.17.64/26 subnets as the LANs; and 202.78.78.254/30 and 121.97.74.124/30 subnets as the WAN.
Which ones are you using? |
|
ryo504
join:2001-01-01
Marrero, LA
| reply to zhrike
i found your problem
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
you need set your gateway ip here, some how i had problems setting my outside as an interface, if you don't know your gateway, subnet your outside ip, and pink the first available ip address and see if you get a reply, you shouldn't worry about the gateway address changing.
--
Ryo Studios Inc. |
|
chris123
join:2002-07-23
Highland, IN
 ·AT&T Midwest
| reply to zhrike
Why are these here?
ip address 192.168.0.2 255.255.255.0 secondary
ip address 121.96.27.129 255.255.255.192 secondary
ip address 121.96.17.65 255.255.255.192
Do you have 1 or 2 connections to the isp?
--
see my SBC Review @ »Review of AT&T Midwest by chris123 |
|
ryo504
join:2001-01-01
Marrero, LA | yeah it looks like he is doing dual isp
also do you need a clock rate on your serial connections? and also you can try to connect one isp first
--
Ryo Studios Inc. |
|
zhrike
join:2008-07-16
| reply to aryoba
@aryoba
This is the Original IP's given by our ISP.
Because we actually have (2) E1 2MB Connections from the same ISP. We aggregated it to make it up to 4MB Connection.
======================
1st E1
WAN - 202.78.78.254/30
LAN - 121.96.27.28/26
======================
======================
2nd E1
WAN - 121.97.74.126/30
LAN - 121.96.17.64/26
======================
Can you help me on that setup? Because all I need to do
is to translate the Server's ip to any 121.96.17.6x ip's as long as users from outside access it's services and
the inside users can still access it from the same network. |
|
zhrike
join:2008-07-16
| reply to chris123
@chris123
Yes I have 2 E1 connections with the same ISP.
ip address 192.168.0.2 255.255.255.0 secondary - to setup router locally
ip address 121.96.27.129 255.255.255.192 secondary - these are ISP given Lan IP's
ip address 121.96.17.65 255.255.255.192 - these are ISP given Lan IP's |
|
zhrike
join:2008-07-16 | reply to ryo504
@ryo504
I've already done a lot of testing on the router. Even formatting the router and putting a new ios version, but still no luck with it. |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
July 16th, @08:54AM
| reply to zhrike
said by zhrike  :@aryoba This is the Original IP's given by our ISP. Because we actually have (2) E1 2MB Connections from the same ISP. We aggregated it to make it up to 4MB Connection. ====================== 1st E1 WAN - 202.78.78.254/30 LAN - 121.96.27.28/26 ====================== ====================== 2nd E1 WAN - 121.97.74.126/30 LAN - 121.96.17.64/26 ====================== Can you confirm with your ISP as to how they setup routing redundancy on their end? This is a requirement to make sure that your network design matches the ISP network design.
One thing you need to confirm is following. Would any of the LAN subnet be reachable via any WAN circuit? Is the 121.96.27.0/26 subnet reachable only via 202.78.78.252/30? Or is the 121.96.27.0/26 subnet also reachable via 121.97.74.124/30? The same question goes to the 2nd 121.96.17.64/26 LAN subnet.
If all LAN subnets are reachable via any WAN circuit, then the next question is following. Is there any preference as to which WAN circuit to take to reach any LAN subnet or specific LAN subnet? Or is it just equal-cost routing to reach any or specific LAN subnet?
I also notice that you are doing static routes with your ISP. Is there a reason why you don't run dynamic routing such as BGP with your ISP? |
|
zhrike
join:2008-07-16
| said by aryoba :said by zhrike :@aryoba This is the Original IP's given by our ISP. Because we actually have (2) E1 2MB Connections from the same ISP. We aggregated it to make it up to 4MB Connection. ====================== 1st E1 WAN - 202.78.78.254/30 LAN - 121.96.27.28/26 ====================== ====================== 2nd E1 WAN - 121.97.74.126/30 LAN - 121.96.17.64/26 ====================== Can you confirm with your ISP as to how they setup routing redundancy on their end? This is a requirement to make sure that your network design matches the ISP network design. One thing you need to confirm is following. Would any of the LAN subnet be reachable via any WAN circuit? Is the 121.96.27.0/26 subnet reachable only via 202.78.78.252/30? Or is the 121.96.27.0/26 subnet also reachable via 121.97.74.124/30? The same question goes to the 2nd 121.96.17.64/26 LAN subnet. If all LAN subnets are reachable via any WAN circuit, then the next question is following. Is there any preference as to which WAN circuit to take to reach any LAN subnet or specific LAN subnet? Or is it just equal-cost routing to reach any or specific LAN subnet? I also notice that you are doing static routes with your ISP. Is there a reason why you don't run dynamic routing such as BGP with your ISP? Yes. 1st WAN can only access 1st LAN IPs, that goes for the 2nd WAN and LAN IPs. But we have configured it's Serial's to load-sharing per-packet, that goes to their end too.
That's why I want to translate my Server's ip address 192.168.0.5 to any of the 121.96.17.6x ip's since it's the first ip address on my FastEthernet interface. Is there any hope on this?
And about static routes, i'm really new to Cisco and i don't have any knowledge to BGP. |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
July 16th, @12:15PM
| If 1st WAN can only access 1st LAN subnet and 2nd WAN can only access 2nd LAN subnet, then there is no point of configuring load-sharing per packet since one circuit is always forced to use to access specific LAN subnet. I believe either LAN subnet should be accessible via either WAN circuit to have proper load sharing and/or automatic failover.
I can see setting up your Server NAT need is straight forward in your case. However before configuring the server NAT statement and reachability, I would suggest that you (with everybody responsible of your company network) assess the best practice of network design with your ISP to establish proper load balancing between two WAN circuits.
Keep in mind that any service or application (including your server) reachability and functionality rely on and run over both WAN circuits. Such reachability and functionality require a good network design to have stable connectivity. Without having a good network design, you just shoot yourself on the foot and rely on luck 
If I were you I would start by designing a good BGP network design with your ISP. Once it is done, tested, and looking good; then you can move on to the server NAT configuration. |
|
zhrike
join:2008-07-16
| But that was before load-sharing was configured. Since we started load-sharing, our ISP at the remote side configured our 2 WAN and LAN IP's to able to communicate to each other. Can you help me with the basic networking stuff. we really need to broadcast our Server, because my co-workers here need some access to it from home. |
|
aryoba
Premium,MVM
join:2002-08-22
| Assuming your router has BGP relationship with your ISP, following is one way of designing your network.
On this sample configuration, the 172.16.0.5 IP address is the FTP and Web server you like to broadcast. All users are within 192.168.0.0/24 subnet.
This configuration takes care of both your load sharing and/or automatic failover design and your Server NAT problem.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname U-MainRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 **********
enable password 7 **********
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.0 192.168.0.200
!
ip dhcp pool dhcp1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.2
dns-server 203.115.130.8 210.4.2.61
!
!
no ip ips deny-action ips-interface
ip domain name yourdomain.com
ip name-server 203.115.130.8
ip name-server 210.4.2.61
!
!
!
!
username test privilege 15 password 7 **********
!
!
!
!
!
interface FastEthernet0/0
description Internet-accessible servers
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface-Facing-Users
ip address 192.168.0.2 255.255.255.0
ip access-group 50 out
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
duplex auto
no mop enabled
!
interface Serial0/0/0
description Interface-Facing-ISP
ip address 202.78.78.254 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
description Interface-Facing-ISP
ip address 121.97.74.126 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
router bgp [YOUR BGP AS NUMBER HERE]
no synchronization
bgp log-neighbor-changes
network 121.97.74.124 mask 255.255.255.252
network 202.78.78.252 mask 255.255.255.252
network 121.96.17.64 mask 255.255.255.192
network 121.96.27.0 mask 255.255.255.192
neighbor 121.97.74.125 remote-as [YOUR ISP BGP AS NUMBER HERE]
neighbor 121.97.74.125 description BGP AS Peer #1
neighbor 121.97.74.125 soft-reconfiguration inbound
neighbor 202.78.78.253 remote-as [YOUR ISP BGP AS NUMBER HERE]
neighbor 202.78.78.253 description BGP AS Peer #2
neighbor 202.78.78.253 soft-reconfiguration inbound
no auto-summary
!
ip classless
!
no ip http server
no ip http secure-server
ip nat pool User 121.96.27.28 121.96.27.28 prefix-length 26
ip nat inside source list 1 pool User
ip nat inside source static tcp 172.16.0.5 21 121.96.17.70 21 extendable
ip nat inside source static tcp 172.16.0.5 80 121.96.17.70 80 extendable
ip nat inside source static tcp 172.16.0.5 3389 121.96.17.70 3389 extendable
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 50 deny 209.11.168.114 -- these are youtube's and
access-list 50 deny 209.11.168.115 and friendster addresses.
access-list 50 deny 209.11.168.112
access-list 50 deny 209.11.168.113
access-list 50 deny 209.11.168.118
access-list 50 deny 209.11.168.119
access-list 50 deny 209.11.168.116
access-list 50 deny 209.11.168.117
access-list 50 deny 209.11.168.122
access-list 50 deny 209.11.168.123
access-list 50 deny 209.11.168.120
access-list 50 deny 209.11.168.121
access-list 50 deny 208.117.236.69
access-list 50 deny 209.11.168.126
access-list 50 deny 209.11.168.127
access-list 50 deny 209.11.168.124
access-list 50 deny 209.11.168.125
access-list 50 deny 209.11.168.110
access-list 50 deny 209.11.168.111
access-list 50 deny 208.65.153.238
access-list 50 deny 209.11.168.130
access-list 50 deny 209.11.168.128
access-list 50 deny 208.65.153.250
access-list 50 deny 208.65.153.251
access-list 50 deny 209.11.168.129
access-list 50 deny 208.65.153.252
access-list 50 deny 208.65.153.253
access-list 50 deny 208.65.153.254
access-list 50 deny 208.65.153.255
access-list 50 permit any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 180 0
privilege level 15
password 7 **********
login local
transport input telnet
!
end |
|
