CISCO 2900 loses NAT

Similar Messages

• Cisco 2921 destination NAT for transparent proxy

  Hi All,
  I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
  In iptables its easy:
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
  iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
  I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
  So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
  The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
  Any ideas guys? I'm stuck.
  Cheers,
  Jordan.

  Sounds like you need a route-map to change the next IP hop?
  This would be the best way to do it which will also verify the remote proxy server is available as well.
  ip sla monitor 1
  type echo protocol ipIcmpEcho <ip address of your proxy server>
  timeout 3000
  frequency 3
  ip sla monitor schedule 1 life forever start-time now
  track 123 rtr 1 reachability
  interface FastEthernet0/1
  ip address <x.x.x.x x.x.x.x>
  ip policy route-map REDIRECT-TO-PROXY
  ip access-list extended webtraffic
  ! Deny traffic from your proxy server from redirecting
    deny tcp host <ip address of your proxy server> any eq www
    deny tcp host <ip address of your proxy server> any eq https
    permit tcp <your ip network> <subnet mask> any eq www
    permit tcp <your ip network> <subnet mask> any eq https
  route-map REDIRECT-TO-PROXY permit 10
  match ip address webtraffic
  set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
  If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
  Here is how my router is configured.
  interface FastEthernet0/0
   ip address dhcp hostname home-rtr-1
   ip nat outside
  interface FastEthernet0/1
   ip address 10.235.x.x 255.255.255.252
   ip nat inside
  ip nat inside source list 10 interface FastEthernet0/0 overload
  access-list 10 permit <your ip network> <your ip subnet>
  HTH

• Unable to telnet the cisco 2900

  Hi,
  I am trying to telnet to cisco 2900 switch. I believe there is a VTY password configured. When I give the pasword. I am getting the below error.
  "Local flow control off"
  "User Access Verification
  Password: Connection closed by foreign host."
  Appreciate you help help.
  Thanks & Regards
  Ranga

  Thanks for response. We does have acces to only from one machine in the network. And I got the configuration that is in backup server. Here is the configuration of login access. I believe with the below configuration might be same problem when we console the switch.
  Line-Line con 0
  line con 0
  session-timeout 15
  password*****
  no vacant-message
  login
  transport input none
  stopbits 1
  Line-Line vty 0 4
  line vty 0 4
  session-timeout 15
  access-class XX in
  exec-timeout 15 0
  password*****
  no vacant-message
  login
  Line-Line vty 5 15
  line vty 5 15
  access-class XX in
  login

• Cisco 2900 Router

  Hi,
  please tell me (or give me a tutorial about) how to add a sub-interface, create a RIP router process and configure route redistribution with OSPF, on Cisco 2900.
  Thanks,
  Adrian.

  Here is an example of configuring Sub-interface on the router
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 10.20.10.1 255.255.255.0
  RIP
  http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfrip.html
  router rip
  network x.x.x.x.
  Route Redistribution
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009487e.shtml
  HTH

• ROUTER CISCO 2900

  I HAVE A CISCO ROUTER 2900 SERIES:
  SERIAL #: FCZ163377PL
  PRODUCT TYPE (Model Number): 2911
  SOFTWARE VERSION: 15.1(4) M4
  BRIEF PROBLEM DESCRIPTION:  I WOULD LIKE TO CONFIGURE A VPN USING ROUTER CISCO 2900, BUT IT DOSENT RECOGNIZE A VPN COMMAND. CAN YOU HELP?

  Here is an example of configuring Sub-interface on the router
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 10.20.10.1 255.255.255.0
  RIP
  http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfrip.html
  router rip
  network x.x.x.x.
  Route Redistribution
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009487e.shtml
  HTH

• Cisco ASA 5510 Natting 2 internal ip to 1 public ip

  Hi Guys,
  I have a doubt on how do nat 2 internal ip addresses to 1 public ip for FTP uses.
  As I know Cisco ASA cannot use to nat 2 internal ips to 1 public ip as the ASA cannot read the host header. It there anyway to control it by using acl or network object group?
  My current configuration for nat 1 internal ip to 1 public ip:
  static (firewall-dmz,firewall-outside) tcp 210.19.xx.xx 21 172.16.101.11 21 netmask 255.255.255.255  dns
  Thank you for your help.
  Cheers
  Tommy

  Yes it is possible . See if this helps.  I'm not in front of my ASA right now, but I think this is the old and new way.  If you are actually using the interface address, you might need to use the "interface" keyword
  Pre 8.3
  static (inside,outside) tcp 1.1.1.1 80 192.168.1.100 8080 netmask  255.255.255.255
  static (inside,outside) tcp 1.1.1.1 8080 192.168.1.101 8080 netmask  255.255.255.255
  static (inside,outside) tcp 1.1.1.1 25 192.168.1.102 25 netmask  255.255.255.255
  8.3 and Later
  object network obj-192.168.1.100
    host 192.168.1.100
    nat (inside,outside) static 1.1.1.1 service tcp 8080 80
  object network obj-192.168.1.101
    host 192.168.1.101
    nat (inside,outside) static 1.1.1.1 service tcp 8080 8080
  object network obj-192.168.1.102
    host 192.168.1.102
    nat (inside,outside) static 1.1.1.1 service tcp 25 25
  If you are using the interface address--
  static (inside,outside) tcp interface 80 192.168.1.100 8080 netmask  255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.1.101 8080 netmask  255.255.255.255
  static (inside,outside) tcp interface 25 192.168.1.102 25 netmask  255.255.255.255
  8.3 and Later
  object network obj-192.168.1.100
    host 192.168.1.100
    nat (inside,outside) static interface service tcp 8080 80
  object network obj-192.168.1.101
    host 192.168.1.101
    nat (inside,outside) static interface service tcp 8080 8080
  object network obj-192.168.1.102
    host 192.168.1.102
    nat (inside,outside) static interface service tcp 25 25

• Cisco 2504 OEAP NAT directly connect AP's no ip

  I setup my 2504 to work with OEAP.  When I enabled NAT on the management interface the one AP I have directly connected to the WLC is no longer getting an IP address.  Any idea why this is?

  First, it is not recommended to have an AP directly connected to the WLC, you really need to connect it to an upstream switch and let it connect that way.
  My first thought would be that you need to take a look a the below link that talk about how the NAT ip commands work.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/command/reference/cli70MR1commands.html#wp14087790
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Cisco device supporting NAT for SCTP

  Hello,
  I can't think of a more proper category for posting this one. I'd like to know if there is a cisco router (or other device for that matter) which may offer NAT service for packet using the SCTP protocol, i.e. translate IP address and SCTP port contained in the packet (Source or Destination) into those configured on the device by the user.
  Packet received by Device: Source IP a.b.c.d Source SCTP port: X1 Dest IP
  translate the Destination IP and Port of SCTP packets sent from PCU to IP and Port set on Windows PC and vice versa.

  Hello,
  I  can't think of a more proper category for posting this one. I'd like to  know if there is a cisco router (or other device for that matter) which  may offer NAT service for packet using the SCTP protocol, i.e.  translate IP address and SCTP port contained in the packet (Source or  Destination) into those configured on the device by the user.
  Packet received by Device: Source IP a1.b1.c1.d1 Source SCTP port: X1 Dest IP w1.x1.y1.z1 Dest SCTP port: Y1
  Packet exiting Device: Source IP a2.b2.c2.d2 Source SCTP port: X2 Dest IP w2.x2.y2.z2 Dest SCTP port: Y2
  I thank you in advance for your responses.

• Newbie: Cisco 851w and nat

  Hello,
  I am a network administrator and recently decided to upgrade my existing network infrastucture at my small office by purchasing a
  Cisco 851w router.
  I have 14 computers that need internet connection sharing and an Ubuntu 6.06 box running e-mail services, web and dns hosting for
  my domain (master zone, running bind9).
  Using SDM express I configured the network in 15 minutes, and also NAT for the Linux server. Everything is fine, except one
  thing: when I access my domain (let`s say mydomain.ro) from my local network I don`t get my webpage or a response from the mail
  server, but instead my SDM express login window. From an outside network I can access my mail and web page using mail.mydomain.ro
  and www.mydomain.ro. Internally I get a response from the router.
  This is how I configured the network with SDM express:
  192.168.0.1 as my routers ip address and network address, dhcp enabled, router`s name is router and domain "domain.ro". At the
  dhcp section I typed my ISP`s dns server. The linux box has the ip 192.168.0.10 and runs bind9 for the "domain.ro" as the master
  server. I added the following NAT with SDM: 53 tcp and udp from WAN ip (81.xxx.xxx.xxx) to 192.168.0.10, 22 tcp, 25 tcp, 80 tcp,
  etc. WAN IP is the ip from my ISP (81.xxx.xxx.xxx).
  Can I fix this using SDM, and how? It`s not an option to type 192.168.0.10 as incoming mail server instead of mail.domain.ro. I don`t know how to use CLI, I bought this router just to be able to run away from my old 486 iptables machine. :D
  Thanks for you time!

  You are absolutly right in that you are not the only one with this problem.
  Check this post and the link provided by Sundar out.
  http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=968333ACF23358AC6443CE3DC4C19CD9.SJ3B?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddccf83
  And hopefully you will find a working solution.

• Cisco ISA 550 NAT problem

  Hi all,
  I have bought a Cisco ISA 550 small business firewall and I had to face to a problem when I configure the NAT.
  My scenario is,
  I have a mail server in my LAN which is need to be access from both inside and outside
  My lan network is 192.168.0.0/24
  I have a PPPoE WAN connection with a static IP
  Mail server IP 192.168.0.15/ 24
  There is not a DMZ zone. I need to NAT this server to my WAN IP and that WAN IP is also used
  to provide internet connection to other LAN users. I could do this with my previous ADSL
  router and i tried to do this with firewall but couldn't acheive the task.
  Hope a help from some expert.
  Thanks,
  Charith

  Do you want that your internal clients connect to the WAN IP and get natted to the local LAN IP?
  Then open the Maintain and Operate Guide at cisco.com and search for "hairpinning".
  Michael
  Please rate all helpful posts

• Cisco 2900 compatible with VWIC-1MFT-T1?

    Can a VWIC-1MFT-T1 card be used in a 2900 series router?  The compatibility tables on Cisco seem to indicate that it is not compatible, but are not definitive.  Anyone ever tried to put one of these in a 2900?

  No, you need VWIC2-MFT or VWIC3, see the compatibility reference:
  http://www.cisco.com/en/US/products/ps10537/products_relevant_interfaces_and_modules.html
  HTH,
  Chris

• Cisco 2900 WAN performance

  We want to buy a new router and I'm searching for the best option.
  For Cisco routers I have found the 2900s series interesting but I was astounished to see that the WAN performance is only up to 75 Mbps
  "They deliver virtualized applications and highly  secure collaboration through the widest array of WAN connectivity at  high performance that offers concurrent services at up to 75 Mbp"
  http://www.cisco.com/en/US/products/ps10537/index.html
  Does that mean that if we are connected to a symmetrical 100 Mbit Internet connection the router would only support up to 75 Mbit? Is it for every seperate connection or all connections. How is the (theoretical) performance if you have only one connection (e.g. an FTP upload)?
  If I need more would I have to upgrade to the 3900s series?
  Greetings and thanks
  nc

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  The reason for ISR "low" performance, they (and their predecessors) were really designed for being feature rich while working with "low speed" serial WAN links.  Traditionally, 75 Mbps would be a rather fast WAN link.
  Today WANs, running at LAN like speeds, often are LAN like media hand-offs, i.e. Ethernet.  Cisco does have a line of MetroEthernet L3 switches, feature poor compared to ISRs, but they offer LAN forwarding performance.
  In any case, the "fastest" 2900, the 2951, is Cisco recommended for up to 75 Mbps WAN bandwidth.  As you note, this allows for "concurrent services".  ISR performance depends very much on average packet sizes and how the router has been configured.  At the other extreme, the 2951 is documented as being able to push 5 Gbps, with no services and with maximum size packets.  Cisco recommendations are conservative, which means a 2900 series might be perfectly fine on your 100 Mbps link, or might not too.  Much would depend on you configuration and what your traffic is like.
  Cisco recommends the 3925 for up to 100 Mbps of WAN bandwidth.
  I've attached a Cisco whitepaper, which provides much more information about ISR performance.

• Cisco 2900

  We want to buy a new router and I'm searching for the best option.
  For Cisco routers I have found the 2900s series interesting but I was astounished to see that the WAN performance is only up to 75 Mbps
  "They deliver virtualized applications and highly secure collaboration through the widest array of WAN connectivity at high performance that offers concurrent services at up to 75 Mbp"
  http://www.cisco.com/en/US/products/ps10537/index.html
  Does that mean that if we are connected to a symmetrical 100 Mbit Internet connection the router would only support up to 75 Mbit? Is it for every seperate connection or all connections. How is the (theoretical) performance if you have only one connection (e.g. an FTP upload)?
  If I need more would I have to upgrade to the 3900s series?
  Greetings and thanks
  nc

  Duplicate post - see: https://supportforums.cisco.com/message/4134122#4134122

• Cisco Touch loses static IP configuration

  I have a Cisco Touch that keeps losing the static IP configuration randomly and then displays a message to configure the manual IP settings, once this is done the system connects with the SX20 no problem.
  This happens once a day. 

  What version of software are you running on the SX20?  There were some improvements with regards to Static IP addresses and the Touch in one of the more recent version (TC7.1.0 from memory) - the latest being TC7.2.0.
  If you have an active service contract on your device you should be able to download the updated software from the Cisco web site.
  If you don't have a service contract, contact the TAC, and reference one of the recent security advisories (ie http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl) to get a "free" upgrade to TC7.x as per the "customers without service contracts" section.
  Wayne
  Please remember to rate responses and to mark your question as answered if appropriate.

• Cisco 857w - Difficult NAT/IP Situation

  Good afternoon, all.  I have been successfully using an 857W router in Pure RFC1483 Bridge Mode for some months.  I would really like to be able to get more of the functions of this router working, so I can get my "money's worth" and eliminate a few other pieces of equipment in the process.  I have been unsuccessful getting anything else to work.  Here is my ISP situation (addresses altered, of course): I have 8 non-contiguous IP addresses as part of a /24 block
  11.22.33.99
  11.22.33.166 through 11.22.33.172
  Gateway = 11.22.33.1
  If possible, I would like to hold 11.22.33.99 at the router and use it to NAT for DHCP (on the WLAN as well).  Then, I would like to have the rest of the block (11.22.33.166 through 11.22.33.172) bridged to the LAN ports for use in other parts of my network.  Is this possible to achieve?
  Second, I would like to be able to use this router as an IPv6 tunnel endpoint, and DHCPv6 service.  I've read that it is not possible on this router, and I've also read that it is possible with the right IOS load, but I am not sure.  Comments?
  I can provide config listings as necessary, though right now I have nothing set except a simple pure bridge configuration.  Thanks for your assistance!

  Forget the IPv6 stuff.  I'm aware now that the 857w is incorrectly advertised as supporting IPv6.
  I think in order to accomplish my routing scheme, I need to employ IRB (Integrated Routing and Bridging) in some fashion, but I have followed several posts and I am not able to create a successful configuration.  The problem seems to be that certain commands I find in postings are not the same for my router, and I end up having to fend for myself anyway.  Here is what I have working so far, in pure RFC-1483 bridging mode, with DHCP working as well:
  Router#show run
  Building configuration...
  Current configuration : 1442 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  resource policy
  clock timezone PST -8
  clock summer-time PDT recurring
  no ip routing
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.16.1 192.168.16.200
  ip dhcp excluded-address 192.168.16.241 192.168.16.255
  ip dhcp pool MyPool
     network 192.168.16.0 255.255.255.0
     dns-server 192.168.16.100
     default-router 192.168.16.100
  no ip cef
  bridge irb
  interface ATM0
  no ip address
  no ip route-cache
  no atm ilmi-keepalive
  pvc 0/35
    encapsulation aal5snap
  dsl operating-mode auto
  bridge-group 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  no ip route-cache
  shutdown
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Vlan1
  no ip address
  ip virtual-reassembly
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.16.1 255.255.255.0
  ip virtual-reassembly
  no ip http server
  no ip http secure-server
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  login
  scheduler max-task-time 5000
  end
  Again, I'm trying to have my public IP address of 11.22.33.99 end at the router, and be used by the DHCP server as its routing.  Then, I would like the rest of my public IP pool, which is 11.22.33.166-11.22.33.172 to be passed on to the FastEthernet bridge to be used directly with other machines.  Probably a crazy way of doing things, but I can't find a better solution to have all of my machines see each other on the LAN and have certain machines use certain public IP addresses.  I'm open to suggestion - thanks for any help!
  Phil