• November 23, 2020, 05:35:51 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Nat issue - RFS6000 - Wing 4.3  (Read 2837 times)

0 Members and 1 Guest are viewing this topic.

Offline leonardo.ortiz

  • Rookie
  • **
  • Posts: 22
Nat issue - RFS6000 - Wing 4.3
« on: January 29, 2015, 10:35:00 AM »
Hello guys.

I'm trying to configure nat on our rfs6000 but don't translate any address....

My configuration:

ip access-list extended onestore
 permit ip 192.168.2.0/24 any rule-precedence 10

 wlan 5 enable
 wlan 5 ssid LAN_MSL
 wlan 5 vlan 15


interface vlan15
 ip address 192.168.2.1/24
 ip nat inside
!

interface vlan50
 description ADSL
 ip address dhcp
 ip nat outside

ip nat inside source list onestore interface vlan50 overload

I want translate VLAN 15 address' (192.168.2.0/24 network) to VLAN50 address (overload)... But don't work.

Any help ? I need active some service ?


Offline McNulty

  • Sr. Member
  • ****
  • Posts: 217
Re: Nat issue - RFS6000 - Wing 4.3
« Reply #1 on: February 02, 2015, 09:16:26 PM »
Is the firewall enabled at the policy level?

Offline leonardo.ortiz

  • Rookie
  • **
  • Posts: 22
Re: Nat issue - RFS6000 - Wing 4.3
« Reply #2 on: February 02, 2015, 09:44:25 PM »
Is the firewall enabled at the policy level?


Hello.

Yes! I'm using firewall, but with just few rules (acl's)... And the rules ins't applied on this WLAN/VLAN...

What you mean with "policy level" ?

Below my ACL's:

ip access-list extended guests
 deny tcp any host 192.168.1.1 eq www rule-precedence 33
 deny tcp any host 192.168.1.2 eq www rule-precedence 34
 deny tcp any host 192.168.1.2 eq https rule-precedence 35
 deny tcp any host 192.168.1.4 eq https rule-precedence 36
 deny tcp any host 192.168.1.4 eq www rule-precedence 37
 permit ip any any rule-precedence 50
ip access-list extended onestore
 permit ip 172.16.1.0/24 any rule-precedence 30
mac access-list extended ARP-ALLOW-ACL
 deny any any type ipv6 rule-precedence 10
 permit any any type arp rule-precedence 20
 permit any any type ip rule-precedence 30
ip access-list extended WLAN-FILTER-BCMC-ACL
 permit udp any any range 67 68 rule-precedence 10
 deny udp any range 137 138 any range 137 138 rule-precedence 20
 deny udp any eq 17500 any eq 17500 rule-precedence 40
 deny ip any host 255.255.255.255 rule-precedence 50
 deny ip any 224.0.0.0/4 rule-precedence 60
 permit ip any any rule-precedence 70

Firewall config:
firewall dhcp-snoop-conflict-detection disable
firewall dhcp-snoop-conflict-logging disable

RFS6000 - SC - Principal*#show firewall config
Wireless firewall: enabled
  IPv4 virtual defragmentation: enabled
  IPv4 TCP MSS clamping: enabled
  IPv4 path-MTU clamping: disabled
  802.2 encapsulations: denied
  802.1q vlan stacking: denied


Do you know how I can enable packet debug (like IOS) ?

It's normal don't show NAT as a process on "service show process" command ?

Thanks for reply !!
« Last Edit: February 03, 2015, 02:36:14 AM by leonardo.ortiz »

Offline leonardo.ortiz

  • Rookie
  • **
  • Posts: 22
Re: Nat issue - RFS6000 - Wing 4.3
« Reply #3 on: February 03, 2015, 04:33:06 AM »
Ok, I found the solution :D

I needed to add a default route to my ADSL router....

NAT inside to outside first route the packet, then change the address....

When I add the default route the translations works...

sh ip nat translations  verbose
          Natted Source          Actual Source     Actual Destination     Natted Destination
       10.2.1.254:44108     172.16.1.252:62014             8.8.8.8:53             8.8.8.8:53
       10.2.1.254:53518     172.16.1.252:61695             8.8.8.8:53             8.8.8.8:53
       10.2.1.254:50664      172.16.1.252:2740      177.99.185.163:80      177.99.185.163:80


I have discovered some commands that can help everyone:

For packet Debugging (like "debug ip packet - IOS"): debug securitymgr packet-forwarding 3

The number "3" is the debug level.

For packet translations: sh ip nat translations verbose
"sh ip nat translations"  just show the nat rule.

For look debug on VTY(like "terminal monitor" - IOS) logging monitor 7

And if we want see the outbound packet (to see if translactions works): service pktcap on interface vlan XX outbound


Tks for the reply McNulty  ;)


Offline McNulty

  • Sr. Member
  • ****
  • Posts: 217
Re: Nat issue - RFS6000 - Wing 4.3
« Reply #4 on: February 03, 2015, 02:01:42 PM »
Thanks for sharing the solution!