[c-nsp] FW: Static PAT problem

Andrew Herdman andrew at whine.com
Thu Mar 17 17:09:10 EST 2005 

 I've been trying to get my 1711 which connects to the outside world via a
PPPoE connection on FastEthernet0 to do static PAT translations for two
ports, one 3389 for MSTS, and 81(outside) 80(inside) for web traffic.

I'm getting very inconsistent results, I get it working, but not sure how,
then, all NAT goes away except the two static entries.  Only way to fix this
is reboot the router.  I do a write mem before rebooting to preserve the
config where the PAT worked.  The router returnns, and PAT no longer works.
I get the message connection refused sent back.

I have done a debug IP packet, and debug ip nat, nothing really obvious is
happening to show the problem.  I know the packet is not reaching the end
system by using a sniffer.

Applicable configuration is below.  I'm hoping I just missed something, and
hoping I haven't stumbled on an IOS bug.  

Regards
  Andrew


Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(11)T3,
RELEASE SOFTWARE (fc4)
System image file is "flash:c1700-k9o3sy7-mz.123-11.T3.bin"


interface Dialer0
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1406
 ip nbar protocol-discovery
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1366
!
interface Vlan1
 ip address 192.168.128.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
!
ip nat inside source list NAT01 interface Dialer0 overload
ip nat inside source static tcp 192.168.128.129 80 interface Dialer0 81
ip nat inside source static tcp 192.168.128.1 3389 interface Dialer0 3389
!
ip access-list extended NAT01
 permit ip 0.0.0.0 255.255.255.0 any
!
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
!
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq 5060 any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq 3389 log
access-list 101 permit tcp any any eq 81
access-list 101 deny   ip any any
!

More information about the cisco-nsp mailing list