Setting up multiple static IPs with NAT

[thewrabbit]

I'm probably missing something blindingly obvious here, but wonder if anyone can help.

Network is

Router
| |
| |
Server1 vLANs

NAT is in operation. Only the server has a static IP at the moment. We are looking at allowing some servers in the VLANS to have a static IP to allow VPNs (it's a multi tenant site) in particular and possibly mail servers etc. However once we setup our test system the VLAN server with the static IP cannot see the Server1 and vice versa. We noticed this initially because we suddenly couldn't e-mail addresses hosted on Server1.

The entries below show the NAT translations for the Server1.

ip nat inside source static tcp InternalIP 666 ExternalIP 666 extendable
ip nat inside source static tcp InternalIP 25 ExternalIP 25 extendable
ip nat inside source static tcp InternalIP 40 ExternalIP 40 extendable

The following mappings were added:
ip nat outside source static ExternalIP 10.1.16.2 extendable
ip nat inside source static 10.1.16.2 ExternalIP extendable

Once the second nat translation is put in place the test server cannot see Server 1. Server 1 cannot see the test server at any point.

Thanks for any help or suggestions. What am I missing in the config here...

Regards

 

[Frenchie2069]

Which interfaces are inside and which are outside? Have you specified ip nat inside on all of the vLAN interfaces (I assume you are using the router to route between the vLANs).

Are there access-lists configured? Are you logging drops?

HTH,
Michael.

 

[thewrabbit]

Serial interface is outside, ETH0 is inside.

Network is as follows (ascii art warning!)

Internet
(Ser0)
ACL 111
|
|
Router ------- Bridge ------ VLANs
(Eth0)
ACL 101

It's probably easier if I post an edited config:
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxxx
!
logging buffered 4096 errors
enable password xxxxx
!
interface Ethernet0
ip address y.y.y.129 255.255.255.0 : Internal IP address (NB I've blanked it because historically we have some external IPs on our internal range - goes back to when we had ISDN and they've just never been changed. Where one of those IPs is referenced I've altered it to y.y.y.n, our external IPs have been altered to x.x.x.n)
ip access-group 101 in
no ip directed-broadcast
ip nat inside
ip inspect myfw in
no cdp enable
!
interface Serial0
ip address x.x.x.46 255.255.255.252
ip access-group 111 in
no ip directed-broadcast
ip accounting output-packets
ip nat outside
no cdp enable
!
interface BRI0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
!
interface Dialer1
[Removed historical dialler info]
!
ip nat pool HideRealNumbers y.y.y.0 y.y.y.254 netmask 255.255.255.0
ip nat pool ntl x.x.x.145 x.x.x.147 netmask 255.255.255.240 : Some of our assigned IPs, a pool that's used for dynamic nat trans
ip nat inside source list 1 pool ntl overload
ip nat inside source static 10.1.16.2 x.x.x.151 extendable
ip nat inside source static tcp y.y.y.184 23 x.x.x.148 23 extendable
ip nat inside source static tcp y.y.y.130 666 x.x.x.148 666 extendable

ip nat inside source static tcp y.y.y.130 25 y.y.y.148 25 extendable :This y.y.y.148 address is the bridge that the vlans go to
ip nat inside source static tcp y.y.y.130 40 x.x.x.148 40 extendable : Server1
ip nat outside source list 1 pool HideRealNumbers
ip nat outside source static x.x.x.151 10.1.16.2 extendable :Test VLAN
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 10.0.0.0 255.0.0.0 y.y.y.184
!
!
map-class dialer Blobby
dialer idle-timeout 180
dialer fast-idle 15
dialer wait-for-carrier-time 10
access-list 1 permit y.y.y.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 permit ip y.y.y.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit tcp any eq 1723 host x.x.x.151 eq 1723
access-list 101 permit gre any host x.x.x.151
access-list 101 permit gre host 10.1.16.2 any
access-list 101 permit tcp host 10.1.16.2 eq 1723 any eq 1723
access-list 101 permit gre host x.x.x.151 any
access-list 101 permit tcp host x.x.x.151 eq 1723 any eq 1723
access-list 101 permit gre any host 10.1.16.2
access-list 101 permit tcp any eq 1723 host 10.1.16.2 eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
access-list 111 permit tcp any any eq smtp
access-list 111 permit icmp any any
access-list 111 permit tcp any any eq 40
access-list 111 permit tcp any any eq 666
access-list 111 permit tcp any any eq 4000
access-list 111 permit tcp any eq ftp-data any
access-list 111 permit tcp any any eq telnet
access-list 111 permit gre any host x.x.x.151
access-list 111 permit tcp any eq 1723 host x.x.x.151 eq 1723
access-list 111 permit gre any host 10.1.16.2
access-list 111 permit tcp any eq 1723 host 10.1.16.2 eq 1723
access-list 111 permit gre host x.x.x.151 any
access-list 111 permit gre host 10.1.16.2 any
access-list 111 permit tcp host x.x.x.151 eq 1723 any eq 1723
access-list 111 permit tcp host 10.1.16.2 eq 1723 any eq 1723
access-list 111 permit gre any any
access-list 111 permit tcp any any eq 1723
dialer-list 1 protocol ip permit
no cdp run

--------

VPN works fine - both connecting into the test server, and connecting outwards. However I can't route between the two servers.

 

[Frenchie2069]

hmmm, it looks like you need to trunk the vLANs to the router. What kind of bridge are you using? Will it do an 802.1q trunk to the router? Do you have IP+ on the router?

If so, you need to configure a subinterface for each vLAN on the router. Something like:

int e0
no ip address
int e0.1
encapsulation dot1q 1
ip address x.x.x.n 255.255.255.0
int e0.2
encapsulation dot1q 2
ip address y.y.y.n 255.255.255.0

this will allow the router to route between vLANs 1 and 2 (once you have configured a dot1q trunk for e0).

This might be off track though - need to know more about the bridge part of your setup

HTH,
Michael.

 

[thewrabbit]

The bridge is already doing the trunking. This is an established system with 20 VLANs currently running.

I can ping the internal IPs of the two servers. However once the second static IP is in place, particularly when

ip nat inside source static 10.1.16.2 x.x.x.151 ext

is added I can no longer reach Server1 from Test Server by external IP.

Thanks for your help - it's appreciated!

 

[gaveeve]

I'm not following all the x.x.x.'s and y.y.y.'s but I think this might have to do with internal/external addresses.
We have an internal network with some internal servers that have a different external ip for accessing from outside our internal network. We cannot reach those servers from inside the network with the external ip. Because the router forwards the packet out of the internal network based on the external ip. There is no way for it to turn around and come back into the network.

Our solution was to create a forward lookup zone on our dns( Win 2000 server Active Directory). Then the dns directs traffic to the internal network address before it even gets to the router. This is based on host names and URLs not ip addresses, (which might be possible but I'm unaware of how to do that).

 

[Frenchie2069]

OK, how about adding this to your router:

int loopback 0
ip address 192.168.0.l 255.255.255.255
ip nat outside

ip route x.x.x.151 255.255.255.0 loopback 0

HTH,
Michael.

 

[thewrabbit]

Frenchie: Tried adding that, still can't telnet to the external IP address

Gaveeve: yup, that's my solution of last resort. I'm trying to avoid it for a couple of reasons. The main one being that with possibly 6 different servers being set-up with static IPs then I'd need to talk through different server admins into adding all the necessary routes.

Here's some further info - I did a packet and nat debug over the weekend then tried to telnet from the test server to Server1

4d03h: NAT: s=Test Server Internal (10.1.16.2)->Test Server External (x.x.x.151), d=Server1 External (x.x.x.148) [27859]

4d03h: IP: s=Test Server External (x.x.x.151) (Ethernet0), d=Server1 External (x.x.x.148) (Serial0), g=Server1 External (x.x.x.148), len 48, forward
4d03h: TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: NAT: s=Test Server External (x.x.x.151)->Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148) [27859]
4d03h: NAT: s=Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148)->Server1 Internal (y.y.y.130) [27859]

4d03h: IP: s=Test Server Internal (10.1.16.2) (Serial0), d=Server1 Internal (y.y.y.130) (Ethernet0), g=Server1 Internal (y.y.y.130), len 48, forward
4d03h: TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: IP: s=Server1 Internal (y.y.y.130) (Ethernet0), d=Test Server Internal (10.1.16.2) (Ethernet0), len 44, redirected
4d03h: TCP src=25, dst=18155, seq=87121, ack=3701288039, win=8760 ACK SYN

4d03h: IP: s=Server1 Internal (y.y.y.130) (Ethernet0), d=Test Server Internal (10.1.16.2) (Ethernet0), g=Bridge Internal (y.y.y.184), len 44, forward
4d03h: TCP src=25, dst=18155, seq=87121, ack=3701288039, win=8760 ACK SYN

4d03h: NAT: s=Test Server Internal (10.1.16.2)->Test Server External (x.x.x.151), d=Server1 External (x.x.x.148) [27994]

4d03h: IP: s=Test Server External (x.x.x.151) (Ethernet0), d=Server1 External (x.x.x.148) (Serial0), g=Server1 External (x.x.x.148), len 48, forward
4d03h: TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: NAT: s=Test Server External (x.x.x.151)->Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148) [27994]

4d03h: NAT: s=Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148)->Server1 Internal (y.y.y.130) [27994]

4d03h: IP: s=Test Server Internal (10.1.16.2) (Serial0), d=Server1 Internal (y.y.y.130) (Ethernet0), g=Server1 Internal (y.y.y.130), len 48, forward
4d03h: TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: NAT: s=Test Server Internal (10.1.16.2)->Test Server External (x.x.x.151), d=Server1 External (x.x.x.148) [28029]

4d03h: IP: s=Test Server External (x.x.x.151) (Ethernet0), d=Server1 External (x.x.x.148) (Serial0), g=Server1 External (x.x.x.148), len 48, forward
4d03h: TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: NAT: s=Test Server External (x.x.x.151)->Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148) [28029]

4d03h: NAT: s=Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148)->Server1 Internal (y.y.y.130) [28029]

4d03h: IP: s=Test Server Internal (10.1.16.2) (Serial0), d=Server1 Internal (y.y.y.130) (Ethernet0), g=Server1 Internal (y.y.y.130), len 48, forward
4d03h: TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: IP: s=Server1 Internal (y.y.y.130) (Ethernet0), d=y.y.y.255 (Ethernet0), len 236,rcvd 3
4d03h: UDP src=138, dst=138

4d03h: IP: s=Server1 External (x.x.x.148) (local), d=Test Server Internal (10.1.16.2) (Ethernet0), len 40, sending
4d03h: TCP src=25, dst=18155, seq=0, ack=0, win=64240 RST

 

[Frenchie2069]

It seems that the two hosts are not completing the 3-way handshake. You can see Test Server send a SYN and Server 1 reply with a SYN ACK, but there is no ACK from Test Server. This can be seen from this portion of the debug:

4d03h: NAT: s=Test Server Internal (10.1.16.2)->Test Server External (x.x.x.151), d=Server1 External (x.x.x.148) [27859]

4d03h: IP: s=Test Server External (x.x.x.151) (Ethernet0), d=Server1 External (x.x.x.148) (Serial0), g=Server1 External (x.x.x.148), len 48, forward
4d03h:     TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: NAT: s=Test Server External (x.x.x.151)->Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148) [27859]
4d03h: NAT: s=Test Server Internal (10.1.16.2), d=Server1 External (x.x.x.148)->Server1 Internal (y.y.y.130) [27859]

4d03h: IP: s=Test Server Internal (10.1.16.2) (Serial0), d=Server1 Internal (y.y.y.130) (Ethernet0), g=Server1 Internal (y.y.y.130), len 48, forward
4d03h:     TCP src=18155, dst=25, seq=3701288038, ack=0, win=64240 SYN

4d03h: IP: s=Server1 Internal (y.y.y.130) (Ethernet0), d=Test Server Internal (10.1.16.2) (Ethernet0), len 44, redirected
4d03h:     TCP src=25, dst=18155, seq=87121, ack=3701288039, win=8760 ACK SYN

4d03h: IP: s=Server1 Internal (y.y.y.130) (Ethernet0), d=Test Server Internal (10.1.16.2) (Ethernet0), g=Bridge Internal (y.y.y.184), len 44, forward
4d03h:     TCP src=25, dst=18155, seq=87121, ack=3701288039, win=8760 ACK SYN

This process repeats a couple more times. My guess is that Test Server is rejecting the ACK SYN becaus the packet source address is y.y.y.130, not x.x.x.148 (the address that it sent a SYN packet to). This would seem to indicate that you need to add another nat translation.

I would tell you what it needs to be except that my brain hurts - I think you broke it with the x.x.x and y.y.y

Also notice that there is an ICMP redirect:

4d03h: IP: s=Server1 Internal (y.y.y.130) (Ethernet0), d=Test Server Internal (10.1.16.2) (Ethernet0), len 44,

redirected

4d03h:     TCP src=25, dst=18155, seq=87121, ack=3701288039, win=8760 ACK SYN

It is hard to tell exactly which host was sent the redirect, but the router may be telling the bridge to send future packets destined for server 1 to the IP Address of the bridge. This happens when a router accepts a packet in one interface and send it to another address on the same interface. It is trying to tell the sending host to use a different default gateway (closer to the destination).

I would be looking at putting:

ip nat inside source static y.y.y.130 x.x.x.148

in additon to the other nat rules. This may very well fix your problem.

If this doesn't work you might want to look at using the router to route between the vLANs. Start by trunking a couple new ones up to the router and adding the appropriate sub-interfaces, this way you can leave the existing vLANs in place while you test the new ones.

HTH,
Michael.