Traffic not flowing for hosts behind NAT - Edge Router Lite

EddieJennings

So. With the limited time I had this morning, here's what went down.

1. Swapped ASA for ERL. Non NAT'd stuff = fine. NAT'd stuff = not so much.
2. Put the ASA back in to make sure stuff would work again (because I'm a fool).
3. Put a switch between my network and the data center network drop, and so I can have both ASA and ERL in service (have enough public IPs to do this).
4. Get a call from the data center making sure everything was ok because I apparently caused a STP problem for them by having a flapping connection (see the end of #2).
5. Just now had time to work with my new setup (data center > switch 1> ASA, 2> ERL).

The result:

I setup an apache server, changed IPs in the ERL's configuration to reflect the new public IP, updated the NAT rules to reflect the new IPs, updated the rule to allow port 80 traffic to reflect the new internal IP. No other configuration changes other than changing the IPs. Traffic passed for my NAT'd device (the apache server) with zero problems.

So after my embarrassment this morning and various menial tasks during the day, there is some light. My little test environment had traffic flowing.

Here's the curious thing from this morning. You can see at the top source NAT was doing translations. The packet capture shows traffic hitting the eth0 interface bound for the public IP of the IIS server, but you see on the bottom right, no destination NAT translations happening. In the test environment described above, I do have destination NAT translations.

Dashrender

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

I setup an apache server, changed IPs in the ERL's configuration to reflect the new public IP, updated the NAT rules to reflect the new IPs, updated the rule to allow port 80 traffic to reflect the new internal IP. No other configuration changes other than changing the IPs. Traffic passed for my NAT'd device (the apache server) with zero problems.

Sadly - I've seen this before. The output telling you that settings were right, but something in the black box is just stuck, and only wiping and reloading fixed it. So you changing the IPs fixed whatever was stuck.

Dashrender

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

So. With the limited time I had this morning, here's what went down.

1. Swapped ASA for ERL. Non NAT'd stuff = fine. NAT'd stuff = not so much.
2. Put the ASA back in to make sure stuff would work again (because I'm a fool).
3. Put a switch between my network and the data center network drop, and so I can have both ASA and ERL in service (have enough public IPs to do this).
4. Get a call from the data center making sure everything was ok because I apparently caused a STP problem for them by having a flapping connection (see the end of #2).
5. Just now had time to work with my new setup (data center > switch 1> ASA, 2> ERL).

I'm a bit surprised you didn't have issues before you even left the DC assuming the ASA and ERL were both on the same IPs. At least it was an easy fix. Did you have to return to the DC to fix it?

EddieJennings

@dashrender said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

So. With the limited time I had this morning, here's what went down.

1. Swapped ASA for ERL. Non NAT'd stuff = fine. NAT'd stuff = not so much.
2. Put the ASA back in to make sure stuff would work again (because I'm a fool).
3. Put a switch between my network and the data center network drop, and so I can have both ASA and ERL in service (have enough public IPs to do this).
4. Get a call from the data center making sure everything was ok because I apparently caused a STP problem for them by having a flapping connection (see the end of #2).
5. Just now had time to work with my new setup (data center > switch 1> ASA, 2> ERL).

I'm a bit surprised you didn't have issues before you even left the DC assuming the ASA and ERL were both on the same IPs. At least it was an easy fix. Did you have to return to the DC to fix it?

The fix happened when I settled on the DC > switch > routers configuration (which was the last thing I did before I left). I didn't get the notifications until later -- thus, next thing on the list is to update whatever contact information they have for us, as I didn't get a notification until one of my bosses forwarded me a voice mail.

EddieJennings

Take 3 is a partial success. All hosts except the IIS host has full Internet connectivity. The IIS host is accepting web and FTP traffic (so NAT's doing its job now :D); however, I can't ping outside my local network, and it can't resolve DNS.

EddieJennings

Despite the above message, problem solved. Had an error in source NAT config (didn't update from my test).

dbeato

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Take 3 is a partial success. All hosts except the IIS host has full Internet connectivity. The IIS host is accepting web and FTP traffic (so NAT's doing its job now :D); however, I can't ping outside my local network, and it can't resolve DNS.

So what is the DNS Server on that Server?

dbeato

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Despite the above message, problem solved. Had an error in source NAT config (didn't update from my test).

Nice! Good job.

EddieJennings

@dbeato said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Take 3 is a partial success. All hosts except the IIS host has full Internet connectivity. The IIS host is accepting web and FTP traffic (so NAT's doing its job now :D); however, I can't ping outside my local network, and it can't resolve DNS.

So what is the DNS Server on that Server?

Same as all of the other servers that could resolve DNS. The issue was forgetting to reconfigure the source NAT rule.

dbeato

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@dbeato said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Take 3 is a partial success. All hosts except the IIS host has full Internet connectivity. The IIS host is accepting web and FTP traffic (so NAT's doing its job now :D); however, I can't ping outside my local network, and it can't resolve DNS.

So what is the DNS Server on that Server?

Same as all of the other servers that could resolve DNS. The issue was forgetting to reconfigure the source NAT rule.

Makes sense now!