Cisco 881 losing NAT NVI translation config after reload

Posted by MasterRoot24 on Server Fault See other posts from Server Fault or by MasterRoot24
Published on 2012-12-11T22:14:04Z Indexed on 2012/12/11 23:05 UTC
Read the original article Hit count: 694

Filed under:
|

This is a weird one, so I'll try to explain in as much detail as I can so I'm giving the whole picture.

As I've mentioned in my other questions, I'm in the process of setting up a new Cisco 881 as my WAN router and NAT firewall. I'm facing an issue where NAT NVI rules that I have configured are not enabled after a reload of the router, regardless of the fact that they are present in the startup-config.

In order to clarify this a little, here's the relevant section of my current running-config:

Router1#show running-config | include nat source
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.x 1723 interface FastEthernet4 1723
ip nat source static tcp 192.168.1.x 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.x 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.x 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.x 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.x 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.x 993 interface FastEthernet4 993

...and here's the mappings 'in action':

Router1#show ip nat nvi translations | include ---
tcp <WAN IP>:25    192.168.1.x:25        ---                   ---
tcp <WAN IP>:80    192.168.1.x:80        ---                   ---
tcp <WAN IP>:143   192.168.1.x:143       ---                   ---
tcp <WAN IP>:443   192.168.1.x:443       ---                   ---
tcp <WAN IP>:587   192.168.1.x:587       ---                   ---
tcp <WAN IP>:993   192.168.1.x:993       ---                   ---
tcp <WAN IP>:1723  192.168.1.x:1723      ---                   ---

...and here's proof that the mappings are saved to startup-config:

Router1#show startup-config | include nat source
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.x 1723 interface FastEthernet4 1723
ip nat source static tcp 192.168.1.x 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.x 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.x 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.x 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.x 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.x 993 interface FastEthernet4 993

However, look what happens after a reload of the router:

Router1#reload

Proceed with reload? [confirm]Connection to router closed by remote host.
Connection to router closed.
$ ssh joe@router
Password: 

Authorized Access only 

Router1>en
Password: 
Router1#show ip nat nvi translations | include ---
Router1#

Router1#show ip nat translations | include ---    
tcp 188.222.181.173:25    192.168.1.2:25        ---                   ---
tcp 188.222.181.173:80    192.168.1.2:80        ---                   ---
tcp 188.222.181.173:143   192.168.1.2:143       ---                   ---
tcp 188.222.181.173:443   192.168.1.2:443       ---                   ---
tcp 188.222.181.173:587   192.168.1.2:587       ---                   ---
tcp 188.222.181.173:993   192.168.1.2:993       ---                   ---
tcp 188.222.181.173:1723  192.168.1.2:1723      ---                   ---
Router1#

Here's proof that the running config should have the mappings setup as NVI:

Router1#show running-config | include nat source        
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
ip nat source static tcp 192.168.1.2 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.2 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.2 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.2 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.2 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.2 993 interface FastEthernet4 993

At this point, the mappings are not working (inbound connections from WAN on the HTTP/IMAP fail). I presume that this is because my interfaces are using ip nat enable for use with NVI mappings, instead of ip nat inside/outside.

So, I re-apply the mappings:

Router1#configure ter
Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip nat source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
Router1(config)#ip nat source static tcp 192.168.1.2 80 interface FastEthernet4 80
Router1(config)#ip nat source static tcp 192.168.1.2 443 interface FastEthernet4 443
Router1(config)#ip nat source static tcp 192.168.1.2 25 interface FastEthernet4 25
Router1(config)#ip nat source static tcp 192.168.1.2 587 interface FastEthernet4 587
Router1(config)#ip nat source static tcp 192.168.1.2 143 interface FastEthernet4 143
Router1(config)#ip nat source static tcp 192.168.1.2 993 interface FastEthernet4 993
Router1(config)#end

... then they show up correctly:

Router1#show ip nat nvi translations | include ---
tcp 188.222.181.173:25    192.168.1.2:25        ---                   ---
tcp 188.222.181.173:80    192.168.1.2:80        ---                   ---
tcp 188.222.181.173:143   192.168.1.2:143       ---                   ---
tcp 188.222.181.173:443   192.168.1.2:443       ---                   ---
tcp 188.222.181.173:587   192.168.1.2:587       ---                   ---
tcp 188.222.181.173:993   192.168.1.2:993       ---                   ---
tcp 188.222.181.173:1723  192.168.1.2:1723      ---                   ---
Router1#
Router1#show ip nat translations | include ---    
Router1#

... furthermore, now from both WAN and LAN, the services mapped above now work until the next reload. All of the above is required every time I have to reload the router (which is all too often at the moment :-( ).

Here's my full current config:

!
! Last configuration change at 20:20:15 UTC Tue Dec 11 2012 by xxx
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-xxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxx
 revocation-check none
 rsakeypair TP-self-signed-xxx
!
!
crypto pki certificate chain TP-self-signed-xxx
 certificate self-signed 01
  xxx
    quit
ip gratuitous-arps
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip domain list dmz.xxx.local
ip domain list xxx.local
ip domain name dmz.xxx.local
ip name-server 192.168.1.x
ip cef
login block-for 3 attempts 3 within 3
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxx
!
!
username admin privilege 15 secret 4 xxx
username joe secret 4 xxx
!
!
!
!
!
ip ssh time-out 60
! 
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface FastEthernet4
 ip address dhcp
 ip access-group 101 in
 ip nat enable
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.x 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
!
interface Vlan2
 ip address 192.168.0.x 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.x 1723 interface FastEthernet4 1723
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 101 permit udp 193.x.x.0 0.0.0.255 any eq 5060
access-list 101 deny   udp any any eq 5060
access-list 101 permit ip any any
!
!
!
!
control-plane
!
!
banner motd 
Authorized Access only

!
line con 0
 exec-timeout 15 0
 login authentication local_auth
line aux 0
 exec-timeout 15 0
 login authentication local_auth
line vty 0 4
 access-class 2 in
 login authentication local_auth
 length 0
 transport input all
!
!
end

I'd appreciate it greatly if anyone can help me find out why these mappings are not setup correctly using the saved config after a reload.

© Server Fault or respective owner

Related posts about cisco

Related posts about nat