Announcement

Collapse
No announcement yet.

Using NAT for remote management

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using NAT for remote management

    Here is the problem I'm looking to crack:

    I have multiple remote sites connected back into my infrastructure via satellite. I'm building a GRE tunnel accross this satellite infrustructure to my user's routers. I'm using EIGRP through these tunnels and everything is working great as far as connectivity to my users is concerned. However, with each of these packages, I would like to be able to remotely manage the satellite modem. My problem is that these modems all have the same web management IP address (192.168.1.1:80) and I can't change them. I thought to myself, "too easy, this sounds like an excellant case for NAT!" Either I'm tackling this thing all wrong or something because I can't seem to get it to work. Here is what I've so far (IPs modified and extra info cut):


    int t0
    description Tunnel back Home
    ip add 10.10.10.10 xxx.xxx.xxx.xxx
    IP NAT OUTSIDE
    ip nhrp xxx.xxx.x.x.x

    .
    .
    .

    int vlan
    description Sat Modem (not in EIGRP table)
    ip add 192.168.1.2 255.255.255.252
    IP NAT INSIDE

    ip nat inside source static tcp 192.168.1.1 80 interface t0 80


    The remote router can now ping the dish so I know vlan connectivity is up. If I try to web into the modem using the t0 interface IP (10.10.10.10) from Home station (ex 172.16.1.0 network), I can watch the NAT translations build on the remote router. Something to the affect of this populates the nat translation table:

    10.10.10.10:80 192.168.1.1:80 172.16.1.1:56123 172.16.1.1:56123
    10.10.10.10:80 192.168.1.1:80 172.16.1.1:56155 172.16.1.1:56155

    However, the webpage never loads. Its like NAT is working in one direction but not the other. I can't quite explain it. Any help or insight would be greatly appreciated. Thanks..


    Josh

  • #2
    Re: Using NAT for remote management

    Are you running ipsec over your DMVPN's?


    Can you ping the modem? If so what does your translation table look like.

    You can run :

    debug ip nat (Then send a ping over to the modem) This will tell you if its being translated in both directions.

    debug ip nat translations

    and

    debug ip packet (To see if the translations are correct) These debugs will be very verbose so I would send them to the buffer or to syslog.

    May be worth while to also clear the arp table as well.



    Here is a good doc from cisco to troubleshoot potential nat issues:


    http://www.cisco.com/en/US/tech/tk64...80094c32.shtml
    Last edited by auglan; 20th April 2012, 13:39.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Using NAT for remote management

      I am not running IPSEC over my dmvpn. We are merely using it as a multipoint tunnel since we have so many remotes. If I ping the int t0 I get a reply but I beleive the reply is coming from the t0 not my modem. I believe this is due to the fact that I am only NATing on port 80. I don't want to take the chance of causing issues with the GRE tunnel and I still want to be able to use the tunnel for SSH and such so I'm trying to be careful about which ports I NAT over to my modem. Also, my version of IOS ( Version 12.4(24)T5) doesn't support the command "debug ip nat translations." When I do a debug ip nat and try and access my modem here is what I get:

      012595: Apr 20 2012 12:51:03.737 Zulu: NAT*: GRE port: 0 - [22536]
      012596: Apr 20 2012 12:51:03.893 Zulu: NAT*: GRE port: 0 - [27459]
      012597: Apr 20 2012 12:51:03.893 Zulu: NAT*: s=172.16.1.1, d=10.10.10.10->192.168.1.1 [52356]

      I'm working on getting the debug ip packet stuff as its taking me awhile to dig it out from all the other traffic coming across the interface. I'll post it once I've got it..

      Thanks for the reply and the document.

      Josh

      Comment


      • #4
        Re: Using NAT for remote management

        !!! Progress !!!


        It turns out my NAT configuration was working wonderfully. I plugged in a laptop to simulate the modem management interface, installed a webserver, and then fired up wireshark to see what was hitting it. It turns out that when I tried to hit the remote computer from my home station network, everything displayed!! It only took about a second or two for the AAHHHAA moment to sink in when I realized that the modem that I was trying to access didn't understand default gateways like my computer does. It doesn't even have a setting for it. It only has an IP and mask. So now I have to figure out how to add a device to a network that doesn't understand gateways!!


        Josh
        Last edited by j_wellman2005; 20th April 2012, 15:53.

        Comment


        • #5
          Re: Using NAT for remote management

          012595: Apr 20 2012 12:51:03.737 Zulu: NAT*: GRE port: 0 - [22536]
          012596: Apr 20 2012 12:51:03.893 Zulu: NAT*: GRE port: 0 - [27459]
          012597: Apr 20 2012 12:51:03.893 Zulu: NAT*: s=172.16.1.1, d=10.10.10.10->192.168.1.1 [52356]
          Okay so looks like the initial translation is working but I do not see the reverse translation.

          Can you test the access to the web interface from a pc on that local network? Just want to make sure the modem is listening on port 80 and on that ip address.

          The debug ip packet should give you a clue. You could write an access list and debug off that acl.


          access-list 101 permit tcp any host 192.168.1.1 eq 80

          debug ip packet detail 101
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Using NAT for remote management

            auglan

            I think we are on the same page. NAT is working in one direction but not the other. However, reference my last post, the problem isn't with NAT. Its with my device not knowing about default gateways which means it doesn't know to send traffic back to the vlan when the http request comes from a host outside of its local network. I tried turning on ip proxy-arp on the vlan and making sure its mask matched that of my device (full class C) but it still isn't working. I'm not sure if the dish isn't sending an arp request for the distant host when it receives a request or if the vlan isn't responding with a "hey send it to me."

            Josh

            Comment


            • #7
              Re: Using NAT for remote management

              Originally posted by j_wellman2005 View Post
              auglan

              I think we are on the same page. NAT is working in one direction but not the other. However, reference my last post, the problem isn't with NAT. Its with my device not knowing about default gateways which means it doesn't know to send traffic back to the vlan when the http request comes from a host outside of its local network. I tried turning on ip proxy-arp on the vlan and making sure its mask matched that of my device (full class C) but it still isn't working. I'm not sure if the dish isn't sending an arp request for the distant host when it receives a request or if the vlan isn't responding with a "hey send it to me."

              Josh
              Sorry I must have posted at the same time you did. I was going to say make sure proxy-arp is enabled on that layer 3 interface. You can run debug arp to see if the arp request is being generated.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: Using NAT for remote management

                I don't think its generating an arp request because when I do a debug arp and then try and pull up the web interface, I don't get any indication that an arp request has been generated..

                Josh

                Comment


                • #9
                  Re: Using NAT for remote management

                  Are there no diagnostic tools available on the modem itself? Ping, Trace, Logs etc.
                  Last edited by auglan; 20th April 2012, 16:39.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: Using NAT for remote management

                    Not that I can see. I'm digging into the documentation alittle further but it looks like its assumed that you'll just be managing it locally. I read a document alittle bit ago where someone was trying a similar feat with a device similar to mine; ie no gateway nor the ability to change the management interface. They accomplished it by using a layer3 interface, assigning two IPs to it, and using nat outside. Right now I don't have another L3 interface on my router so I'm still trying to work it with vlans but at some point, I may have to bow out and get a card that supports L3. Thanks for all the help..

                    Josh

                    Comment


                    • #11
                      Re: Using NAT for remote management

                      Let me know how it goes. Thanks.
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: Using NAT for remote management

                        So I've got a 95% solution. I contacted the manufacturer of the satellite system I was trying to monitor and sweet talked them until they gave me the linux password that runs the whole thing. Logging in I ran a command to manually add a default route (route add default gw 192.168.1.2 eth0) and everything is working!! So now from my anywhere on my network, I can remotely log into my system to check its stats / receive levels. The reason I said 95% solution is that after a power cycle, the unit no longer remembers the gateway address since I manually entered it. I tried modifying some of the config files so that it would be there upon bootup but no joy as of yet. I'm confident though after all of the work I've done so far, I'll crack the last 5%. Thanks for all your advice.

                        Josh

                        Comment


                        • #13
                          Re: Using NAT for remote management

                          Sweet. Well done. Is there no way to make the route persistent like on a windows box? Either way glad you got most of it worked out. Just out of curiosity, what type of modem is it? I may ran across this some day.
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: Using NAT for remote management

                            Auglan,

                            There has to be a way to make is persistent. My knowledge on Linux is somewhat limited but I've dug through the file structure in /etc/ and found the couple of files that generate the IP addresses and routes. However, I have thus far been unsuccessful in modifying them correctly to get it to boot-up with my default route. Right now there is a file /etc/rc that basically reads in a bunch of other files. The one I'm particularly interested in is /etc/rc.route or something to that affect. It has an algorithm in it to read in another file /etc/config/route that has a multicast route in it currently 224.0.0.0 to fill the routing table. I created a separate line in the /etc/config/route file for my default route but it didn't work. From what I can tell, I'm using the right syntax but it still isn't booting up with it. Next I tried to just add my own file called /etc/rc.defaultRoute. Inside it I added the exact command that I ran from the command line for adding my default route. I then modified the original /etc/rc file to execute this file. Again, upon boot-up, there isn't a default route. I know the syntax in this file is correct because if I run it from the bash with sh /etc/rc.defaultRoute it works. I'm just not sure why it isn't doing the same thing during the /etc/rc execution. I'll start in again on Monday. Eventually I'll get it. Its just a matter of figuring out what makes this thing tick!!

                            As far as the modem, its not actually just the modem. Its a complete Satellite terminal by SweDish (Distributed by Rockwell Collins). What we've been trying to do is to remotely log into the management interface of the dish to check status messages, warnings/errors, and modem receive levels / settings. Now with this setup, I can fire up the management client, point it to my distant end tunnel interface, and now I'm staring at the management screen (after getting the webpage to work it was just a matter of wiresharking to find out what port the management client used). Its pretty awesome. Just as cool is that if we have a backup link going into the router, we'll be able to remotely diagnose dish failures so that we can make sure we are bringing the appropriate spare parts during a dish failure!

                            Josh

                            Comment


                            • #15
                              Re: Using NAT for remote management

                              Sounds like a cool setup.
                              CCNA, CCNA-Security, CCNP
                              CCIE Security (In Progress)

                              Comment

                              Working...
                              X