[c-nsp] FW: Static PAT problem

Andrew Herdman andrew at whine.com
Mon Mar 21 20:29:27 EST 2005 

Here is my "show ip nat translation" (External IP's edited)

C1711#show ip nat translations 
Pro Inside global         Inside local          Outside local
Outside global
tcp x.x.x.254:3037  192.168.128.1:3037    a.a.a.1:993     a.a.a.1:993
tcp x.x.x.254:3042  192.168.128.1:3042    a.a.a.1:22      a.a.a.1:22
tcp x.x.x.254:3389  192.168.128.1:3389    ---                   ---
tcp x.x.x.254:3813  192.168.128.1:3813    a.a.a.1:993     a.a.a.1:993
tcp x.x.x.254:81    192.168.128.129:80    ---                   ---
udp x.x.x.254:49941 192.168.128.129:49941 a.a.a.1:53      a.a.a.a.1:53
udp y.y.y.1:50207   192.168.128.160:50207 10.183.1.11:69
10.183.1.11:69
udp y.y.y.1:50207   192.168.128.160:50207 10.183.1.11:2074
10.183.1.11:2074
udp y.y.y.1:50208   192.168.128.160:50208 10.183.1.11:69
10.183.1.11:69
udp y.y.y.1:50208   192.168.128.160:50208 10.183.1.11:2076
10.183.1.11:2076
udp y.y.y.1:50209   192.168.128.160:50209 10.183.1.11:69
10.183.1.11:69
udp y.y.y.1:50209   192.168.128.160:50209 10.183.1.11:2077
10.183.1.11:2077
tcp y.y.y.1:50455   192.168.128.160:50455 10.183.1.11:2000
10.183.1.11:2000
tcp y.y.y.1:50456   192.168.128.160:50456 10.183.1.10:2000
10.183.1.10:2000
udp y.y.y.1:1025    192.168.128.171:5060  a.a.a.140:5060    a.a.a.140:5060
udp y.y.y.1:1024    192.168.128.171:5060  a.a.a.177:5060    a.a.a.177:5060
udp x.x.x.254:1024  192.168.128.253:5060  a.a.a.236:5060   a.a.a.236:5060

Since I get this right away;

<1002> telnet x.x.x.254 81
Trying x.x.x.254...
telnet: Unable to connect to remote host: Connection refused 

There is no translation associated with the attempt.

Thanks
  Andrew


-----Original Message-----
From: RawCode [mailto:gonnason at gmail.com] 
Sent: Monday, March 21, 2005 7:12 PM
To: Andrew Herdman; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FW: Static PAT problem

On Fri, 18 Mar 2005 10:51:58 -0500, Andrew Herdman <andrew at whine.com> wrote:
> Thanks Gert;
> 
> I also received the same advice from two other people in a private
message.
> Not sure why I missed that, but the SDM did it, last time I let SDM
> configure any part of the router.
> 
> But unfortunately, it didn't resolve the issue.  I still get connection
> refused when telneting to the static PAT ports of 81 and 3389.
> 
> Thanks
>   Andrew
> 
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> > Sent: Friday, March 18, 2005 3:46 AM
> > To: Andrew Herdman
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] FW: Static PAT problem
> >
> > Hi,
> >
> > On Thu, Mar 17, 2005 at 05:09:10PM -0500, Andrew Herdman wrote:
> > > !
> > > ip access-list extended NAT01
> > >  permit ip 0.0.0.0 255.255.255.0 any
> >
> > netmasks in ACLs need to be inverted ("don't care bits") - if
> > you want
> > to match your whole inside subnet, write this as:
> >
> >    permit ip 192.168.128.0 0.0.0.255
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> >
> > //www.muc.de/~gert/
> > Gert Doering - Munich, Germany
> > gert at greenie.muc.de
> > fax: +49-89-35655025
> > gert at net.informatik.tu-muenchen.de
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
An example from my config:
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.5 8000 interface Dialer1 8000
ip nat inside source static tcp 192.168.0.3 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.5 22 interface Dialer1 22

and if you do "sh ip nat trans" you should see:
Pro Inside global      Inside local       Outside local      Outside global
tcp x.x.16.252:80  192.168.0.3:80     ---                ---
tcp x.x.16.252:22  192.168.0.5:22     ---                ---
udp x.x.16.252:22  192.168.0.5:22     ---                ---
tcp x.x.16.252:8000 192.168.0.5:8000  ---                ---

During a connection attempt you should see this. for example:
Pro Inside global      Inside local       Outside local      Outside global
tcp x.x.16.252:80  192.168.0.3:80     x.x.x.43:1795 x.x.x.43:1795
tcp x.x.16.252:80  192.168.0.3:80     ---                ---
tcp x.x.16.252:22  192.168.0.5:22     ---                ---
udp x.x.16.252:22  192.168.0.5:22     ---                ---
tcp x.x.16.252:8000 192.168.0.5:8000  ---                ---

Do you see any of the previous at all? And when you try to establish a
session, do you see a NAT entry? If you do a see a NAT entry, then NAT
is not the issue.

More information about the cisco-nsp mailing list