NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Cisco firewall before RN104.
Hi guys, I know this forum is for readyNAS but I struggle configuring CISCO NAT to provide external access to my ReadyNAS. I was wondering if someone could be of some help here. I bought a cheap s...
For the firewall, yes my usage is pretty basic I am to use HTTP(S)/(s)FTP/SSH mainly, maybe a little bit of DNS. I will also need the VPN (L2TP/IPSec on the router) to pass through. Anything more evolved than that will be filtered via VPN credentials only (once connected you get full access). I'd just like to filter a little bit and practice Cisco doing it. I'm giving up the IPS feature because having a second hand router I don't have the account it was registered with and the router's memory/CPU is limited but would have been nice.
I'm testing out the NAS command from this conf (the same you already read except I added description to interfaces and with no NAT except inside/outside int definitions)
I'll send raw results to avoid any error from my side.
IP NAT detailed debugging is on (activated after sending the conf)
I do a full router reload between each configuration to be sure to start on the clean conf above.
With no NAT (witness config)
I will only be testing NAT on the other configs, since basic IP shouldn't be disturb much by NAT only.
FROM ROUTER :
ping 192.168.0.1 (internet gateway) => OK
ping 172.16.0.200 (NAS eth1) => OK
FROM MAC (having a static route to 172.16.0.200(NAS eth1) via 192.168.0.10 (Router FA0)
=> ping 172.16.0.200 => OK
=> ping 192.168.0.10 => OK
=> ping 172.16.0.254 => OK (router vlan 172)
=> web interface 172.16.0.200 => OK
=> web interface 192.168.0.10 => TIMEOUT
NAT INSIDE (the one I already posted)
Web interface (192.168.0.10) => TIMEOUT
router output :
NAT OUTSIDE
using command ip nat outside source static tcp 192.168.0.10 60443 172.16.0.200 443 extendable
router output :
NAT OUTSIDE BIS
using command ip nat outside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
router output :
NAT INSIDE BOTH WAYS
ip nat inside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
ip nat inside source static tcp 192.168.0.10 60443 172.16.0.200 443 extendable
router output :
NAT address to address
command ip nat inside source static 172.16.0.200 192.168.0.10
*Jan 21 08:56:03.379: ipnat_add_static_cfg: id 3, flag 6
*Jan 21 08:56:03.379: id 3, flags 0, domain 0, lookup 0, from_addr AC1000C8, from_mask FFFFFFFF, from_port 0, to_addr C0A8000A, to_port 0 to_mask FFFFFFFF, proto 0
*Jan 21 08:56:03.383: NAT: installing alias for address 192.168.0.
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
--- 192.168.0.10 172.16.0.200 --- ---
(while pinging 192.168.0.10 from MAC (ping OK))
kerberos(config)#
*Jan 21 08:56:25.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [4938]
*Jan 21 08:56:25.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [4938]
*Jan 21 08:56:25.847: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [4938]
*Jan 21 08:56:26.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [39977]
*Jan 21 08:56:26.847: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [39977]
NAT address to address with 192.168.0.11
command : ip nat inside source static 172.16.0.200 192.168.0.11
None of the config got me to access the web interface, but as far as I can judge with ip nat inside anything goes well on the router... (PS when there is no debug in NAT, that means NAT wasn't triggered, I copied the output I got).
Because everything seems fine to me, I wondered if I should set a route, but the router is directly connected it knows where to send anything. Moreover when accessing 172.16.0.200 telling my MAC to route via 192.168.0.10 it works so I don't see any reason this wouldn't work while doing NAT...
Xel
I'm testing out the NAS command from this conf (the same you already read except I added description to interfaces and with no NAT except inside/outside int definitions)
Building configuration...
Current configuration : 1526 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname kerberos
!
boot-start-marker
boot-end-marker
!
enable secret 5 SECRET
!
aaa new-model
!
!
!
!
aaa session-id common
!
!
ip cef
!
!
!
!
no ip domain lookup
ip domain name kerberos.mydomain.fr
!
multilink bundle-name authenticated
!
!
!
username xeltros secret 5 SECRET
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description INTERNET (bad guys)
ip address 192.168.0.10 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description VLAN10 (VPN) dedicaced interface
switchport access vlan 10
!
interface FastEthernet2
description VLAN172 (DMZ) dedicaced interface
switchport access vlan 172
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
no ip address
!
interface Vlan10
description future VPN (good distant guys)
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan172
description DMZ (good protected guys)
ip address 172.16.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
end
I'll send raw results to avoid any error from my side.
IP NAT detailed debugging is on (activated after sending the conf)
I do a full router reload between each configuration to be sure to start on the clean conf above.
With no NAT (witness config)
I will only be testing NAT on the other configs, since basic IP shouldn't be disturb much by NAT only.
FROM ROUTER :
ping 192.168.0.1 (internet gateway) => OK
ping 172.16.0.200 (NAS eth1) => OK
FROM MAC (having a static route to 172.16.0.200(NAS eth1) via 192.168.0.10 (Router FA0)
=> ping 172.16.0.200 => OK
=> ping 192.168.0.10 => OK
=> ping 172.16.0.254 => OK (router vlan 172)
=> web interface 172.16.0.200 => OK
=> web interface 192.168.0.10 => TIMEOUT
NAT INSIDE (the one I already posted)
Web interface (192.168.0.10) => TIMEOUT
router output :
kerberos#sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
kerberos#
*Jan 21 08:29:37.591: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [47325]
*Jan 21 08:29:37.591: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [47325]
*Jan 21 08:29:37.595: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:37.595: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [47325]
*Jan 21 08:29:37.735: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [56852]
*Jan 21 08:29:37.735: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:37.735: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [56852]
*Jan 21 08:29:37.935: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [46679]
*Jan 21 08:29:37.939: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:37.939: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [46679]
*Jan 21 08:29:38.139: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [59982]
*Jan 21 08:29:38.139: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.139: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [59982]
*Jan 21 08:29:38.339: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [27074]
*Jan 21 08:29:38.339: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.339: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [27074]
*Jan 21 08:29:38.543: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [14430]
*Jan 21 08:29:38.543: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.543: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [14430]
*Jan 21 08:29:38.843: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [748]
*Jan 21 08:29:38.843: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.843: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [748]
*Jan 21 08:29:39.343: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [38102]
*Jan 21 08:29:39.343: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:39.343: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [38102]
*Jan 21 08:29:40.247: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [40722]
*Jan 21 08:29:40.247: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:40.247: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [40722]
*Jan 21 08:29:42.055: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [59666]
*Jan 21 08:29:42.055: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:42.055: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [59666]
*Jan 21 08:29:45.711: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [18061]
*Jan 21 08:29:45.715: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:45.715: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [18061]
*Jan 21 08:29:52.391: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [15853]
*Jan 21 08:29:52.391: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:52.391: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [15853]
*Jan 21 08:29:59.191: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [26239]
*Jan 21 08:29:59.191: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:59.191: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [26239]
kerberos#sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 192.168.0.26:54949 192.168.0.26:54949
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
kerberos#
*Jan 21 08:30:59.211: NAT: expiring 192.168.0.10 (172.16.0.200) tcp 60443 (443)
NAT OUTSIDE
using command ip nat outside source static tcp 192.168.0.10 60443 172.16.0.200 443 extendable
router output :
*Jan 21 08:40:00.251: ipnat_add_static_cfg: id 2, flag 6
*Jan 21 08:40:00.251: id 2, flags 0, domain 1, lookup 1, from_addr C0A8000A, from_mask FFFFFFFF, from_port EC1B, to_addr AC1000C8, to_port 1BB to_mask FFFFFFFF, proto 6
*Jan 21 08:40:00.255: NAT: installing alias for address 172.16.0.200
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp --- --- 172.16.0.200:443 192.168.0.10:60443
NAT OUTSIDE BIS
using command ip nat outside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
router output :
*Jan 21 08:52:43.003: ipnat_add_static_cfg: id 2, flag 6
*Jan 21 08:52:43.003: id 2, flags 0, domain 1, lookup 1, from_addr AC1000C8, from_mask FFFFFFFF, from_port 1BB, to_addr C0A8000A, to_port EC1B to_mask FFFFFFFF, proto 6
*Jan 21 08:52:43.007: NAT: installing alias for address 192.168.0.10
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp --- --- 192.168.0.10:60443 172.16.0.200:443
NAT INSIDE BOTH WAYS
ip nat inside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
ip nat inside source static tcp 192.168.0.10 60443 172.16.0.200 443 extendable
router output :
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
tcp 172.16.0.200:443 192.168.0.10:60443 --- ---
kerberos(config)#
*Jan 21 08:46:59.723: NAT*: o: tcp (192.168.0.26, 55025) -> (192.168.0.10, 60443) [56183]
*Jan 21 08:46:59.723: NAT*: o: tcp (192.168.0.26, 55025) -> (192.168.0.10, 60443) [56183]
*Jan 21 08:46:59.727: NAT*: TCP s=55025, d=60443->443
*Jan 21 08:46:59.727: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [56183]
*Jan 21 08:46:59.727: NAT: i: tcp (172.16.0.200, 443) -> (192.168.0.26, 55025) [44274]
*Jan 21 08:46:59.731: NAT: TCP s=443->60443, d=55025
*Jan 21 08:46:59.731: NAT: s=172.16.0.200->192.168.0.10, d=192.168.0.26 [44274]
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 192.168.0.26:55025 192.168.0.26:55025
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
tcp 172.16.0.200:443 192.168.0.10:60443 --- ---
NAT address to address
command ip nat inside source static 172.16.0.200 192.168.0.10
*Jan 21 08:56:03.379: ipnat_add_static_cfg: id 3, flag 6
*Jan 21 08:56:03.379: id 3, flags 0, domain 0, lookup 0, from_addr AC1000C8, from_mask FFFFFFFF, from_port 0, to_addr C0A8000A, to_port 0 to_mask FFFFFFFF, proto 0
*Jan 21 08:56:03.383: NAT: installing alias for address 192.168.0.
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
--- 192.168.0.10 172.16.0.200 --- ---
(while pinging 192.168.0.10 from MAC (ping OK))
kerberos(config)#
*Jan 21 08:56:25.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [4938]
*Jan 21 08:56:25.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [4938]
*Jan 21 08:56:25.847: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [4938]
*Jan 21 08:56:26.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [39977]
*Jan 21 08:56:26.847: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [39977]
NAT address to address with 192.168.0.11
command : ip nat inside source static 172.16.0.200 192.168.0.11
*Jan 21 08:58:54.867: ipnat_add_static_cfg: id 5, flag 6
*Jan 21 08:58:54.867: id 5, flags 0, domain 0, lookup 0, from_addr AC1000C8, from_mask FFFFFFFF, from_port 0, to_addr C0A8000B, to_port 0 to_mask FFFFFFFF, proto 0
*Jan 21 08:58:54.867: NAT: installing alias for address 192.168.0.11do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
--- 192.168.0.11 172.16.0.200 --- ---
(while pinging 192.168.0.11 from MAC, ping OK)
kerberos(config)#
*Jan 21 08:59:31.347: NAT*: o: icmp (192.168.0.26, 24137) -> (192.168.0.11, 24137) [29439]
*Jan 21 08:59:31.347: NAT*: o: icmp (192.168.0.26, 24137) -> (192.168.0.11, 24137) [29439]
*Jan 21 08:59:31.351: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [29439]
While accessing web interface (192.168.0.11, TIMEOUT)
*Jan 21 09:03:59.871: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [18909]
*Jan 21 09:03:59.871: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [18909]
*Jan 21 09:03:59.871: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [18909]
*Jan 21 09:04:00.871: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [22728]
*Jan 21 09:04:00.871: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [22728]
*Jan 21 09:04:01.875: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [5438]
*Jan 21 09:04:01.879: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [5438]
*Jan 21 09:04:02.883: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [64158]
*Jan 21 09:04:02.883: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [64158]
*Jan 21 09:04:03.887: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [16652]
*Jan 21 09:04:03.887: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [16652]
*Jan 21 09:04:04.891: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [47748]
*Jan 21 09:04:04.895: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [47748]
*Jan 21 09:04:06.907: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [42904]
*Jan 21 09:04:06.907: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [42904]
*Jan 21 09:04:10.927: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [50389]
*Jan 21 09:04:10.927: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [50389]
*Jan 21 09:04:18.935: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [33094]
*Jan 21 09:04:18.935: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [33094]
*Jan 21 09:04:34.967: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [50797]
*Jan 21 09:04:34.971: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [50797]
*Jan 21 09:05:07.075: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [61870]
*Jan 21 09:05:07.075: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [61870]
None of the config got me to access the web interface, but as far as I can judge with ip nat inside anything goes well on the router... (PS when there is no debug in NAT, that means NAT wasn't triggered, I copied the output I got).
Because everything seems fine to me, I wondered if I should set a route, but the router is directly connected it knows where to send anything. Moreover when accessing 172.16.0.200 telling my MAC to route via 192.168.0.10 it works so I don't see any reason this wouldn't work while doing NAT...
Xel
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
