topic Sorry I was a little fast in Network Security

NAT Issue

Ejaz Ahmed — Tue, 12 Mar 2019 04:46:15 GMT

Hi Experts,

One of my office have Cisco ASA 5510 with ios 8.4(5). Everything is configured and working fine except the static NAT. I have a block of public IP, which I used to configure static NAT. The internal server which is configured with static NAT is not getting internet or anything. When I removed the static NAT, the internet is getting (through WAN interface IP). The server is placed in the DMZ. I have allowed everything to the server but it is not working.

Regards,

EJAZ

Would help to see your ASA

Marius Gunnerud — Wed, 17 Sep 2014 21:21:27 GMT

Would help to see your ASA configuration to identify where the problem is.

Static NAT can be configured as follows:

object network SERVER
host 10.10.10.1
nat (inside,outside) static 11.11.11.1 tcp 80 80

object network SERVER
host 10.10.10.1

object network SERVER-NAT
host 11.11.11.1

object service WEB
service tcp destination eq www

nat (inside,outside) source static SERVER SERVER-NAT service WEB WEB

Please remember to select a correct answer and rate helpful posts

Hi Marius,Thank you for the

Ejaz Ahmed — Thu, 18 Sep 2014 07:10:11 GMT

Hi Marius,

Thank you for the reply. Please see attached my conifug file.

Please note that I have three servers which configured with static NAT, that are: 172.16.34.1, 172.16.34.2 and 172.16.34.3

Issue with 172.16.34.2 and 172.16.34.3 (Static NAT is not working for these server)

Regards,

Ejaz

Could you please run the

Marius Gunnerud — Thu, 18 Sep 2014 07:10:12 GMT

Could you please run the following packet tracer and post the output here

packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail

This should give us an indication of what is causing the packet to drop.

Please remember to select a correct answer and rate helpful posts

Hi Marius, Please see below

Ejaz Ahmed — Thu, 18 Sep 2014 13:43:57 GMT

Hi Marius,

Please see below the output:

ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail ?

xml Output in xml format
<cr>
ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac0381c0, priority=1, domain=permit, deny=false
hits=16053, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.34.0 255.255.255.0 DMZ

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac69f910, priority=13, domain=permit, deny=false
hits=0, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
hits=873, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf133240, priority=70, domain=inspect-http, deny=false
hits=289, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca29438, priority=50, domain=ids, deny=false
hits=393, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=527, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
nat (DMZ,Outside) static 23.30.88.140 service tcp www www
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=Outside, output_ifc=DMZ

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Regards,

Ejaz

Could you please run the

Marius Gunnerud — Fri, 19 Sep 2014 06:52:57 GMT

Could you please run the packet tracer again, but this time exchange the 172.16.34.2 address with the translated (public) IP.

Please remember to select a correct answer and rate helpful posts

Hi Marius,Please see the

Ejaz Ahmed — Fri, 19 Sep 2014 08:08:41 GMT

Hi Marius,

Please see the below output, I have changed the IP with Nated Public IP:

ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 x.x.x.x 80 detail

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
NAT divert to egress interface DMZ
Untranslate x.x.x.x/80 to 172.16.34.2/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac69f910, priority=13, domain=permit, deny=false
        hits=2, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=7296, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=358, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca29438, priority=50, domain=ids, deny=false
        hits=701, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=2432, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=987, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=812, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=4656, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31936, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Regards,

Ejaz

As per the packet tracer the

Marius Gunnerud — Fri, 19 Sep 2014 09:18:20 GMT

As per the packet tracer the traffic flow is allowed through the ASA. Have you made sure that the Server is correctly configured? and if that traffic is being switched / routed corrected from the ASA to the server?

Please remember to select a correct answer and rate helpful posts

Hi Marius, Thank you for the

Ejaz Ahmed — Tue, 23 Sep 2014 06:41:48 GMT

Hi Marius,

Thank you for the reply. As of now our devoplment team is working with server and it is not connected to the network. Once it is connected I will let you know the status.

Also can you give advise on the below issue:

In the same firewall configuration like I earlier mentioned, there is no NAT issue with the server 172.16.34.1. Only certain ports are forwarded to the server. I can connect the SIP with NATed public IP to this server and everything working fine for inbound traffic. But when a connection is going from the server (ie outbound) the server is using firewall's WAN interface IP instead of its NAT IP. Why it is going like that? How can we change that?

Regards,

Ejaz

Hi, You say that you have

Jouni Forss — Tue, 23 Sep 2014 06:51:16 GMT

Hi,

You say that you have forwarded the required ports to the server so that inbound connections from the external networks can reach the server but that the problem is when the server opens outbound connections to the external networks? It uses a different public IP address?

The main question here is if any other device uses the public IP address that you have used to forward the ports (Static PAT)? If the public IP address used in the Static PAT configurations for the server is only used for that specific server then you should really change the Static PAT to Static NAT which would in turn mean that the server would use that public IP address for ALL outbound connections. At the same time it would also allow connections on any port inbound for the server (What is allowed is naturally determined by your interface ACL but what I mean is that you would not need any additional NAT configurations to allow connections to some port, only the ACL rule)

Hope this helps 🙂

- Jouni

When you say going outbound

Marius Gunnerud — Tue, 23 Sep 2014 07:28:44 GMT

When you say going outbound do you mean internet traffic?

You could run the packet-tracer again to see which NAT it is matching ( my assumtion is that it is matching the dynamic NAT statement you have configured).

packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail

I am thinking that the NAT statement is trying to match on the source port, and since the PC is sending with a random high port number it wont match and will therefore default to the dynamic NAT statement.

Also could you post your configuration again...I do not see it where you posted it earlier.

Please remember to select a correct answer and rate helpful posts

Hi Please see below output:

Ejaz Ahmed — Tue, 23 Sep 2014 10:03:27 GMT

Please see below output:

ASA5510# packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.34.0 255.255.255.0 DMZ

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

Also I have attached the configuration file.

Regards,

Ejaz

Sorry I was a little fast

Marius Gunnerud — Tue, 23 Sep 2014 10:03:28 GMT

Sorry I was a little fast with my copy/paste. Could you please re-run the packet tracer.

packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail

Please remember to select a correct answer and rate helpful posts

Hi Jouni,Thank you for the

Ejaz Ahmed — Tue, 23 Sep 2014 10:15:53 GMT

Hi Jouni,

Thank you for the reply.

The NATed IP is only using by the server.

Let me know for any further queries.

Regards,

Ejaz

Hi Marius, Please see the

Ejaz Ahmed — Tue, 23 Sep 2014 10:30:39 GMT

Hi Marius,

Please see the below output;

ASA5510# packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_ACCESS_IN_ACL in interface DMZ
access-list DMZ_ACCESS_IN_ACL extended permit tcp object UCALLTEL-DMZ-172.16.34.0 any eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac8f43a8, priority=13, domain=permit, deny=false
        hits=70, user_data=0xa9861c80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=172.16.34.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=3138, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf10e9e0, priority=70, domain=inspect-http, deny=false
        hits=71, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaee1b6b8, priority=50, domain=ids, deny=false
        hits=779, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network UCALLTEL-DMZ-172.16.34.0
nat (DMZ,Outside) dynamic interface
Additional Information:
Dynamic translate 172.16.34.2/12345 to x.30.x.x/12345
Forward Flow based lookup yields rule:
in id=0xac498108, priority=6, domain=nat, deny=false
        hits=43994, user_data=0xac497728, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.16.34.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=14402, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=17760, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=3397, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 139995, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Regards,

Ejaz

Hi, In your case the format

Jouni Forss — Tue, 23 Sep 2014 10:30:40 GMT

Hi,

In your case the format for configuring Static NAT for the server would be

object network <object name>
host <server local ip>
nat (DMZ,Outside) static <public ip address> dns

This would bind the local IP address to the public IP address configured on the "nat" command. This would mean that outbound connections would also use this public IP address. If you had a similiar Static PAT configuration already then you would not really need that UNLESS you are changing the mapped/local port in the "nat" command.

But configuring the Static NAT would already mean that it would override the Dynamic PAT for outgoing connections from this server. Naturally there is a small chance depending on your current complete NAT configuration that even this Static NAT might be overridden but I doubt it. If the above "packet-tracer" is for the DMZ server in question then there should be no problem.

- Jouni

Hi Jouni, Great help!!!!! It

Ejaz Ahmed — Tue, 23 Sep 2014 12:34:23 GMT

Hi Jouni,

Great help!!!!! It worked.

Now the server connections are going with NATed Public IP.

Thank you so much for your help.

I have one more issue that need to be resolved. Some other teams are currently working on the server, once they have done with server I need to check on that.

Marius also helping me on that.

Regards,

Ejaz

Hi Marius,From the output it

Ejaz Ahmed — Tue, 23 Sep 2014 12:44:22 GMT

Hi Marius,

From the output it is showing that the connection is going outside with firewall's interface IP. I have configured the command which is provided byJouni Forss.

Now the outbound connection from the server also going with the NATed public IP. Thank you so much for the help. I really appreciate for the help

Ejaz

Hi Jouni,Really appreciate

Ejaz Ahmed — Wed, 24 Sep 2014 07:31:54 GMT

Hi Jouni,

Really appreciate for the replies.

You can check the configuration file I have attached

Regards,

Ejaz

Hi Jouni,We still have the

Ejaz Ahmed — Wed, 08 Oct 2014 03:04:50 GMT

Hi Jouni,

We still have the issue 😞

I have configured three static NAT in the firewall, only one is working correctly.

When I remove the static NAT of other two, the connections from the server is going with WAN IP and everything working.

With the static NAT, no traffics are going outside from the two servers(having issue).

Please help

Regards,

Ejaz