We are running a few services in our internal network that we would like
to expose to the outside world. At first we were having trouble with email,
dns, and www. Not sure what happened but email and dns started working all
of a sudden.
In regards to www, we are forwarding the traffic to our apache server (192.168.2.15), with the following port forward rule:
ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
For some reason it's getting routed to another server on the network.
We know this due to the firewall of that server burning the request.
Is there any way to make these static rules more enforced, and getting
the traffic to the right server.
Update
tcp <public>:53 192.168.2.5:53 --- ---
tcp <public>:25 192.168.2.10:25 --- ---
tcp <public>:465 192.168.2.10:465 --- ---
tcp <public>:993 192.168.2.10:993 --- ---
--- <public> 192.168.2.5 --- ---
NAT Definitions
no ip nat service sip udp port 5060
no ip nat service sip udp port 5080
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 465 interface Dialer0 465
ip nat inside source static tcp 192.168.2.10 993 interface Dialer0 993
ip nat inside source static tcp 192.168.2.10 995 interface Dialer0 995
ip nat inside source static tcp 192.168.2.15 443 interface Dialer0 443
ip nat inside source static udp 192.168.2.5 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.2.20 5080 interface Dialer0 5080
access-list 130 permit udp any any range 8000 65535
route-map voip-rtp permit 1
match ip address 130
ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp
NAT Trans
tcp public-ip:53 192.168.2.5:53 --- ---
tcp public-ip:25 192.168.2.10:25 --- ---
tcp public-ip:465 192.168.2.10:465 --- ---
tcp public-ip:993 192.168.2.10:993 --- ---
--- public-ip 192.168.2.5 --- ---
Thanks in Advance,
Nick from Toronto.
Best Answer
Is there somehow a second port 80 rule? (shouldn't be possible, but I've seen it happen)
Is the arp cache on the router somehow wrong -- i.e. it thinks 2.15 is at a different machine?
And lastly, IOS has, in the past, had significant issues with NAT and dynamic interface addresses. On my cablemodem-feed router, I have to replace the NAT rules with full IP addresses (every time the address changes!) to make it work; the rules won't apply correctly if dhcp is setting the address, or if the address later changes with the interface up. I've never used "interface nat" on the DSL line with a static address.
[UPDATE]
ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp
That is what's causing the error. As you can see in the firewall output, the DST is 2.5, not 2.15. And there's no port 80 translation in the table.
[Further Update]
There is no way to make a Cisco IOS device NAT a UDP port range. It'll work perfectly for TCP, but completely ignores UDP. (nice of Cisco to do that.) If you attempt to use route-maps with an acl that specifies ports, it generates an error matching the acl. (turn on various debug's to see it) Inside destination NAT ignores the UDP part.