topic Hi Andre, in Network Access Control

Issue with Dynamic and Static Nat

andremagri — Mon, 11 Mar 2019 06:33:56 GMT

I have the following configuration

I have about 50 internal hosts that have static nats assigned with their respective services defined in the nat statement which I need to remove as I need to use dns-doctoring.

This is the config:

object network LB-TEST1
host 10.0.0.51

object network LB-TEST2
host 10.0.0.52

object network LB-TEST9
host 10.0.0.59

object network LB-TEST1
nat (any,Wan) static 1.1.1.1

object network LB-TEST2-HTTP
nat (any,Wan) static 1.1.1.2 service tcp www www

object network LB-TEST9
nat (any,Wan) static 2.2.2.2

nat (Lan,Wan) after-auto source dynamic any interface description Allow Internet Access to the Lan Network
WAN IP: 4.4.4.4

LB-TEST1 public ip 1.1.1.1
LB-TEST2 public ip 4.4.4.4
LB-TEST9 public ip 4.4.4.4

I can understand LB-TEST1 and LB-TEST2 but in this case shouldn't LB-TEST9's public ip be 2.2.2.2 ?

Hi Andre,

Aditya Ganjoo — Thu, 10 Mar 2016 10:38:22 GMT

Hi Andre,

Yes you are right LB-TEST9's IP should be 2.2.2.2

Also for WWW service LB-TEST2 IP should be 1.1.1.2 and not 4.4.4.4

Regards,

Aditya

Please rate helpful posts.

@Aditya Ganjoo I'm testing

andremagri — Thu, 10 Mar 2016 10:45:47 GMT

adganjoo I'm testing using whatsmyip.org so since the source port is dynamic in this case LB-TEST2 is returning 4.4.4.4 but replies from source port 80 should be translated to 1.1.1.2 as you said.

How do I make LB-TEST1 translate to 4.4.4.4 like the rest so that I can use the dns keyword?

Hi Andre,

Aditya Ganjoo — Thu, 10 Mar 2016 10:54:08 GMT

Hi Andre,

No the NAT statement for WWW is for the port 80 service.

object network LB-TEST2-HTTP
nat (any,Wan) static 1.1.1.2 service tcp www www

Can you check what is LB-TEST2-HTTP object is ?

Use the command sh run object id LB-TEST2-HTTP.

So lets say if i need to access the web services on any of the internal server I would use the NAT IP on port 80.

Regards,

Aditya

made a mistake earlier, I

andremagri — Thu, 10 Mar 2016 12:54:44 GMT

made a mistake earlier, I should have included this one:

object network LB-TEST2-TEST
host 10.0.0.52

I found out what happened though in the meantime, the host LB-TEST9 has 2 ip addresses and the primary interface is set to another nat statement. This explains why the public ip is different.

So what I would like to do is taking into consideration these 2 nats:

object network LB-TEST2-HTTP
nat (any,Wan) static 1.1.1.2 service tcp www www

object network LB-TEST3-HTTP
nat (any,Wan) static 1.1.1.3 service tcp www www

From LB-TEST2 or any other internal host I would like to access each other through HTTP using the internal ip instead of the outside one.