[c-nsp] FW: Static PAT problem

RawCode gonnason at gmail.com
Mon Mar 21 19:11:45 EST 2005


On Fri, 18 Mar 2005 10:51:58 -0500, Andrew Herdman <andrew at whine.com> wrote:
> Thanks Gert;
> 
> I also received the same advice from two other people in a private message.
> Not sure why I missed that, but the SDM did it, last time I let SDM
> configure any part of the router.
> 
> But unfortunately, it didn't resolve the issue.  I still get connection
> refused when telneting to the static PAT ports of 81 and 3389.
> 
> Thanks
>   Andrew
> 
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> > Sent: Friday, March 18, 2005 3:46 AM
> > To: Andrew Herdman
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] FW: Static PAT problem
> >
> > Hi,
> >
> > On Thu, Mar 17, 2005 at 05:09:10PM -0500, Andrew Herdman wrote:
> > > !
> > > ip access-list extended NAT01
> > >  permit ip 0.0.0.0 255.255.255.0 any
> >
> > netmasks in ACLs need to be inverted ("don't care bits") - if
> > you want
> > to match your whole inside subnet, write this as:
> >
> >    permit ip 192.168.128.0 0.0.0.255
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> >
> > //www.muc.de/~gert/
> > Gert Doering - Munich, Germany
> > gert at greenie.muc.de
> > fax: +49-89-35655025
> > gert at net.informatik.tu-muenchen.de
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
An example from my config:
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.5 8000 interface Dialer1 8000
ip nat inside source static tcp 192.168.0.3 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.5 22 interface Dialer1 22

and if you do "sh ip nat trans" you should see:
Pro Inside global      Inside local       Outside local      Outside global
tcp x.x.16.252:80  192.168.0.3:80     ---                ---
tcp x.x.16.252:22  192.168.0.5:22     ---                ---
udp x.x.16.252:22  192.168.0.5:22     ---                ---
tcp x.x.16.252:8000 192.168.0.5:8000  ---                ---

During a connection attempt you should see this. for example:
Pro Inside global      Inside local       Outside local      Outside global
tcp x.x.16.252:80  192.168.0.3:80     x.x.x.43:1795 x.x.x.43:1795
tcp x.x.16.252:80  192.168.0.3:80     ---                ---
tcp x.x.16.252:22  192.168.0.5:22     ---                ---
udp x.x.16.252:22  192.168.0.5:22     ---                ---
tcp x.x.16.252:8000 192.168.0.5:8000  ---                ---

Do you see any of the previous at all? And when you try to establish a
session, do you see a NAT entry? If you do a see a NAT entry, then NAT
is not the issue.


More information about the cisco-nsp mailing list