4

We are running a few services in our internal network that we would like to expose to the outside world. At first we were having trouble with email, dns, and www. Not sure what happened but email and dns started working all of a sudden.

In regards to www, we are forwarding the traffic to our apache server (192.168.2.15), with the following port forward rule:

ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80

For some reason it's getting routed to another server on the network. We know this due to the firewall of that server burning the request. Is there any way to make these static rules more enforced, and getting the traffic to the right server.

Update

tcp <public>:53       192.168.2.5:53        ---                   ---
tcp <public>:25       192.168.2.10:25       ---                   ---
tcp <public>:465      192.168.2.10:465      ---                   ---
tcp <public>:993      192.168.2.10:993      ---                   ---
--- <public>          192.168.2.5       ---                   ---

NAT Definitions

no ip nat service sip udp port 5060
no ip nat service sip udp port 5080         
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 465 interface Dialer0 465
ip nat inside source static tcp 192.168.2.10 993 interface Dialer0 993
ip nat inside source static tcp 192.168.2.10 995 interface Dialer0 995
ip nat inside source static tcp 192.168.2.15 443 interface Dialer0 443
ip nat inside source static udp 192.168.2.5 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.2.20 5080 interface Dialer0 5080
access-list 130 permit udp any any range 8000 65535
route-map voip-rtp permit 1
match ip address 130
ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp

NAT Trans

tcp public-ip:53       192.168.2.5:53        ---                   ---
tcp public-ip:25       192.168.2.10:25       ---                   ---
tcp public-ip:465      192.168.2.10:465      ---                   ---
tcp public-ip:993      192.168.2.10:993      ---                   ---
--- public-ip          192.168.2.5           ---                   ---

Thanks in Advance,

Nick from Toronto.

Nick Cameo
  • 431
  • 5
  • 11
  • are your providing the full output of "sh ip translations" ? – aseaudi Jan 06 '14 at 23:22
  • After the trans clear, yes. Before the trans clear there is all the sip and rtp routing – Nick Cameo Jan 07 '14 at 14:42
  • have you got all this sorted out? BTW, if a previously selected answer isnt right, go ahead and unselect. We want you to get thr right answer to your problems – Mike Pennington Jan 08 '14 at 12:38
  • Hello Mike, thank you for your time. I don't think the two topics are related even though they are very similar. At first we wanted to find a way to forward a range of UDP ports using a route map. Now, we would like to drop the route map for RTP, and still maintain the port forwarding of the SIP traffic. After a few days of disruptions to our clients, we wanted to let things settle before dropping all nat rules and reinserting them one by one. Sorry for the extended... :) VoIP, email, DNS is up, WWW is down... – Nick Cameo Jan 08 '14 at 19:29

1 Answers1

4

Is there somehow a second port 80 rule? (shouldn't be possible, but I've seen it happen)

show ip nat translations | include ---

Is the arp cache on the router somehow wrong -- i.e. it thinks 2.15 is at a different machine?

show ip arp <inside interface>

And lastly, IOS has, in the past, had significant issues with NAT and dynamic interface addresses. On my cablemodem-feed router, I have to replace the NAT rules with full IP addresses (every time the address changes!) to make it work; the rules won't apply correctly if dhcp is setting the address, or if the address later changes with the interface up. I've never used "interface nat" on the DSL line with a static address.

[UPDATE]

ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp

That is what's causing the error. As you can see in the firewall output, the DST is 2.5, not 2.15. And there's no port 80 translation in the table.

[Further Update]

There is no way to make a Cisco IOS device NAT a UDP port range. It'll work perfectly for TCP, but completely ignores UDP. (nice of Cisco to do that.) If you attempt to use route-maps with an acl that specifies ports, it generates an error matching the acl. (turn on various debug's to see it) Inside destination NAT ignores the UDP part.

Ricky
  • 32,147
  • 2
  • 43
  • 85
  • Hello Ricky, you effort is much appreciated. At first all the services got off on a sluggish start however, I think it's stabilized (but not trustworthy). I have added the result for ip trans, and arp mac addresses all line up (just in case I cleared the linux servers). We have no dhcp on our netowrk. All computers are have static address that have never changed. – Nick Cameo Jan 06 '14 at 21:03
  • I forgot to mention port 80 is still getting routed to the wrong address. The firewall burn of .15: Jan 6 16:14:56 toronto kernel: [2424311.366025] TCP LOGINPUTDROP:: IN=eth1 SRC=66.249.85.51 DST=192.168.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=43752 PROTO=TCP SPT=59806 DPT=80 WINDOW=62920 RES=0x00 SYN URGP=0 OPT (020405960402080A36B71B8C0000000001030306). I do have a route map that ranges 8000-65535 shown above on udp. Could this be the problem? – Nick Cameo Jan 06 '14 at 21:21
  • Are you using the same nat command syntax for the rest of translations shown in the table (53, 25, 465, ..)? – aseaudi Jan 06 '14 at 21:43
  • Hello Aseaudi, I posted all the NAT related directives in my original post. Should have done that from the beginning. – Nick Cameo Jan 06 '14 at 21:54
  • 3
    see my update. your rtp setup is messing things up. – Ricky Jan 06 '14 at 22:08
  • Hello Ricky, the second I do a no ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp, the whole voip takes a poop for some reason. I mean everything! SIP and RTP. I have not idea why... Would be interested in knowing how to run cisco in debug mode. Only then will things start making sence to me. How to turn on the various debugs? – Nick Cameo Jan 07 '14 at 01:51
  • could you "clear ip nat trans *" and provide output of "show ip nat translation"? – aseaudi Jan 07 '14 at 02:07
  • Hello aseaudi, I just cleared the trans and the output for show ip trans is in my op above. – Nick Cameo Jan 07 '14 at 02:39
  • If it's like my test system (1841, 15.1.4M7), a reload is required to get a clear NAT table. Your base issue is mixing PAT (per port nat's) and 1:1 NAT (the one causing the problem) -- unless Di0 and public IP are different addresses. – Ricky Jan 07 '14 at 03:18
  • Hello Ricky, thank you for your response. It's a 3820 15.1(4). I probably do need to reload. The problem with that is I need a low peak window. So to recap, drop the route map, clear trans, and reload? I have no idea why 5060 forward would stop working when I drop the RTP range forward. This stumped me, and I abandoned the attempt. – Nick Cameo Jan 07 '14 at 03:42
  • Ricky your suspicions are correct. Without ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp we get WWW however, loose the RTP stream for VoIP (ie, no way audio). Should I just plug in that 80 dollar dlink that had all the services working ;). What about putting the server where we need the rtp in DMZ, and dropping the route map. Not the ideal solution however any help and better suggestions are greatly appreciated. – Nick Cameo Jan 10 '14 at 22:35
  • Use the power of SmartNET, and make Cisco fix their [censored] mistake. I would agree, when a $17 device can do what the $$$$ device cannot, they've failed. – Ricky Jan 10 '14 at 23:45
  • I know it's been a while. After a long time testing different things it seems Ricky Beam was correct again. We did not need the RTP route map block (ie, access-list 130 permit udp any any range 8000 65535). Ricky go ahead and post a comment where you mention that the RTP route map rule was messing things up. It was actually causing CISCO to crash at some point in time. I will mark your answer as correct. – Nick Cameo Nov 25 '14 at 15:22
  • @NickCameo, I did -- long ago. See "update" and "further update" – Ricky Nov 25 '14 at 22:43