Mailing List Archive

[nsp] NAT Issue
Hello all,

Here is the situation;


---------------------
web server |
192.168.0.2/24 |
|
---------------------
----------------------------------
| | Cisco 1605R
|
| .1/24 |
| 172.16.158.2/30
|--------------------------------------------------- |
NAT |
| |
|
---------------------
----------------------------------
client |
192.168.0.10/24 |
|
---------------------

Anyone coming from the outside and telnetting to the router's outside IP via
port 80 is successful in attaining access to it. Web server is up and
running.

Here is the issue:

1) The client puts 172.16.158.2 in its Internet Explorer browser and gets
page cannot be displayed. This is from the workstation on the LAN.

2) From the router if you do an extended traceroute to the target of
192.168.0.2 sourcing from 172.16.158.2 it gets timedout.

3) here is the config on the router:


!
version 11.2
no service finger
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname Router
!
enable password cisco
!
username hagop password 0 hagop
no ip source-route
no ip subnet-zero
ip nat translation timeout 3600
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.2 80 172.16.158.2 80 extendable
!
interface Ethernet0
description LAN (Internal)
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Ethernet1
description PtP to access router
ip address 172.16.158.2 255.255.255.252
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip nat outside
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.158.1
access-list 1 permit 192.168.0.0 0.0.0.255
!
no cdp run
!
line con 0
line vty 0 4
!
end

Any help would greatly be appreciated.
thanks
Hagop
RE: [nsp] NAT Issue [ In reply to ]
Hagop,

I don't know if somebody answered this already. It's difficult to
quickly tell what's wrong without seeing the routing tables and
translation tables but I have two suggestions. Firstly enable "ip
subnet-zero" and secondly change access-list 1 to exclude your web
server from the PAT translation source-list.
HTH,
Marcus.

-----Original Message-----
From: Hagop Karaoghlanian [mailto:hkaraoghlanian@corp.attcanada.ca]
Sent: 29 August 2002 11:10
To: 'cisco-nsp@puck.nether.net'
Subject: [nsp] NAT Issue
Importance: High


Hello all,

Here is the situation;


---------------------
web server |
192.168.0.2/24 |
|
---------------------
----------------------------------
| | Cisco
1605R
|
| .1/24 |
| 172.16.158.2/30
|--------------------------------------------------- |
NAT |
| |
|
---------------------
----------------------------------
client |
192.168.0.10/24 |
|
---------------------

Anyone coming from the outside and telnetting to the router's outside IP
via
port 80 is successful in attaining access to it. Web server is up and
running.

Here is the issue:

1) The client puts 172.16.158.2 in its Internet Explorer browser and
gets
page cannot be displayed. This is from the workstation on the LAN.

2) From the router if you do an extended traceroute to the target of
192.168.0.2 sourcing from 172.16.158.2 it gets timedout.

3) here is the config on the router:


!
version 11.2
no service finger
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname Router
!
enable password cisco
!
username hagop password 0 hagop
no ip source-route
no ip subnet-zero
ip nat translation timeout 3600
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.2 80 172.16.158.2 80
extendable
!
interface Ethernet0
description LAN (Internal)
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Ethernet1
description PtP to access router
ip address 172.16.158.2 255.255.255.252
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip nat outside
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.158.1
access-list 1 permit 192.168.0.0 0.0.0.255
!
no cdp run
!
line con 0
line vty 0 4
!
end

Any help would greatly be appreciated.
thanks
Hagop

_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
[nsp] NAT issue [ In reply to ]
Hi all,


I have configured dynamic NAT on my router.It is working perfectly fine but
only problem with "Yahoo Messenger" and some SSL sites.Also Hotmail mailbox not opening.
If i do it from Proxy it is working perfectly.

Any clue ??????


with regards
Tejal
Re: [nsp] NAT issue [ In reply to ]
* tejal.shah@surat.iqara.net (Tejal Shah) [Sun 01 Sep 2002, 11:57 CEST]:
> I have configured dynamic NAT on my router.It is working perfectly fine
> but only problem with "Yahoo Messenger" and some SSL sites.Also Hotmail
> mailbox not opening. If i do it from Proxy it is working perfectly.
>
> Any clue ??????

MTU problems. Don't block ICMP Fragmentation Needed packets.


-- Niels.

--
Aug 12 21:22:27 snowcrash ntpd[184]: time reset 6.666601 s
Coincidence? I think not!