Cisco 881 losing NAT NVI translation config after reload
Posted
by
MasterRoot24
on Server Fault
See other posts from Server Fault
or by MasterRoot24
Published on 2012-12-11T22:14:04Z
Indexed on
2012/12/11
23:05 UTC
Read the original article
Hit count: 694
This is a weird one, so I'll try to explain in as much detail as I can so I'm giving the whole picture.
As I've mentioned in my other questions, I'm in the process of setting up a new Cisco 881 as my WAN router and NAT firewall. I'm facing an issue where NAT NVI rules that I have configured are not enabled after a reload of the router, regardless of the fact that they are present in the startup-config.
In order to clarify this a little, here's the relevant section of my current running-config
:
Router1#show running-config | include nat source
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.x 1723 interface FastEthernet4 1723
ip nat source static tcp 192.168.1.x 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.x 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.x 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.x 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.x 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.x 993 interface FastEthernet4 993
...and here's the mappings 'in action':
Router1#show ip nat nvi translations | include ---
tcp <WAN IP>:25 192.168.1.x:25 --- ---
tcp <WAN IP>:80 192.168.1.x:80 --- ---
tcp <WAN IP>:143 192.168.1.x:143 --- ---
tcp <WAN IP>:443 192.168.1.x:443 --- ---
tcp <WAN IP>:587 192.168.1.x:587 --- ---
tcp <WAN IP>:993 192.168.1.x:993 --- ---
tcp <WAN IP>:1723 192.168.1.x:1723 --- ---
...and here's proof that the mappings are saved to startup-config
:
Router1#show startup-config | include nat source
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.x 1723 interface FastEthernet4 1723
ip nat source static tcp 192.168.1.x 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.x 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.x 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.x 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.x 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.x 993 interface FastEthernet4 993
However, look what happens after a reload of the router:
Router1#reload
Proceed with reload? [confirm]Connection to router closed by remote host.
Connection to router closed.
$ ssh joe@router
Password:
Authorized Access only
Router1>en
Password:
Router1#show ip nat nvi translations | include ---
Router1#
Router1#show ip nat translations | include ---
tcp 188.222.181.173:25 192.168.1.2:25 --- ---
tcp 188.222.181.173:80 192.168.1.2:80 --- ---
tcp 188.222.181.173:143 192.168.1.2:143 --- ---
tcp 188.222.181.173:443 192.168.1.2:443 --- ---
tcp 188.222.181.173:587 192.168.1.2:587 --- ---
tcp 188.222.181.173:993 192.168.1.2:993 --- ---
tcp 188.222.181.173:1723 192.168.1.2:1723 --- ---
Router1#
Here's proof that the running config should have the mappings setup as NVI:
Router1#show running-config | include nat source
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
ip nat source static tcp 192.168.1.2 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.2 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.2 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.2 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.2 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.2 993 interface FastEthernet4 993
At this point, the mappings are not working (inbound connections from WAN on the HTTP/IMAP fail). I presume that this is because my interfaces are using ip nat enable
for use with NVI mappings, instead of ip nat inside/outside
.
So, I re-apply the mappings:
Router1#configure ter
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip nat source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
Router1(config)#ip nat source static tcp 192.168.1.2 80 interface FastEthernet4 80
Router1(config)#ip nat source static tcp 192.168.1.2 443 interface FastEthernet4 443
Router1(config)#ip nat source static tcp 192.168.1.2 25 interface FastEthernet4 25
Router1(config)#ip nat source static tcp 192.168.1.2 587 interface FastEthernet4 587
Router1(config)#ip nat source static tcp 192.168.1.2 143 interface FastEthernet4 143
Router1(config)#ip nat source static tcp 192.168.1.2 993 interface FastEthernet4 993
Router1(config)#end
... then they show up correctly:
Router1#show ip nat nvi translations | include ---
tcp 188.222.181.173:25 192.168.1.2:25 --- ---
tcp 188.222.181.173:80 192.168.1.2:80 --- ---
tcp 188.222.181.173:143 192.168.1.2:143 --- ---
tcp 188.222.181.173:443 192.168.1.2:443 --- ---
tcp 188.222.181.173:587 192.168.1.2:587 --- ---
tcp 188.222.181.173:993 192.168.1.2:993 --- ---
tcp 188.222.181.173:1723 192.168.1.2:1723 --- ---
Router1#
Router1#show ip nat translations | include ---
Router1#
... furthermore, now from both WAN and LAN, the services mapped above now work until the next reload. All of the above is required every time I have to reload the router (which is all too often at the moment :-( ).
Here's my full current config:
!
! Last configuration change at 20:20:15 UTC Tue Dec 11 2012 by xxx
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-xxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxx
revocation-check none
rsakeypair TP-self-signed-xxx
!
!
crypto pki certificate chain TP-self-signed-xxx
certificate self-signed 01
xxx
quit
ip gratuitous-arps
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip domain list dmz.xxx.local
ip domain list xxx.local
ip domain name dmz.xxx.local
ip name-server 192.168.1.x
ip cef
login block-for 3 attempts 3 within 3
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxx
!
!
username admin privilege 15 secret 4 xxx
username joe secret 4 xxx
!
!
!
!
!
ip ssh time-out 60
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip nat enable
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
!
interface Vlan2
ip address 192.168.0.x 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.x 1723 interface FastEthernet4 1723
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 101 permit udp 193.x.x.0 0.0.0.255 any eq 5060
access-list 101 deny udp any any eq 5060
access-list 101 permit ip any any
!
!
!
!
control-plane
!
!
banner motd
Authorized Access only
!
line con 0
exec-timeout 15 0
login authentication local_auth
line aux 0
exec-timeout 15 0
login authentication local_auth
line vty 0 4
access-class 2 in
login authentication local_auth
length 0
transport input all
!
!
end
I'd appreciate it greatly if anyone can help me find out why these mappings are not setup correctly using the saved config after a reload.
© Server Fault or respective owner