topic Re: Cannot connect using NATTED IP in Network Security

Cannot connect using NATTED IP

griever060684 — Mon, 11 Mar 2019 13:56:36 GMT

Hello,

I am again having another problem with my NATTED ip.

We have connected a server on one of the Firewall interface. I can Ping the server 10.26.34.20 from the Firewall context at the same time, I can ping the 10.10.10.10 server from the firewall. I have configured, NAT for 10.10.10.10 to be represented as 10.26.34.10. I however cannot PING 10.26.34.10 from 10.10.10.10

I am attaching logs from our firewall and please let me know where I might have gone wrong.

%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/4388 gaddr 10.34.26.14/4388 laddr 10.34.26.14/8

%FWSM-6-305009: Built static translation from VLAN300 :10.10.10.10 to VLAN1300 :10.26.34.10

%FWSM-6-302013: Built outbound TCP connection 145842752990351296 for VLAN300 :10.10.10.10/47014 (10.26.34.10/47014) to VLAN1300 :10.26.34.20/22 (10.26.34.20/22)

%FWSM-6-302014: Teardown TCP connection 145842752990351296 for VLAN300 :10.10.10.10/47014 to VLAN1300 :10.26.34.20/2

%FWSM-6-302013: Built outbound TCP connection 145842752990351297 for VLAN300 :10.10.10.10/47014 (10.26.34.10/47014) to VLAN1300 :10.26.34.20/22 (10.26.34.20/22)

%FWSM-6-302014: Teardown TCP connection 145842752990351297 for VLAN300 :10.10.10.10/47014 to VLAN1300 :10.26.34.20/2

%FWSM-6-302020: Built outbound ICMP connection for faddr 10.26.34.20/45343 gaddr 10.26.34.10/45343 laddr 10.10.10.10/8

%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/45343 gaddr 10.26.34.10/45343 laddr 10.10.10.10/8

%FWSM-6-302013: Built outbound TCP connection 145842752990351299 for VLAN300 :10.10.10.10/47015 (10.26.34.10/47015) to VLAN1300 :10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145842752990351299 for VLAN300 :10.10.10.10/47015 to VLAN1300 :10.26.34.20/6

%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47015 flags SYN ACK on interface VLAN1300

%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47015 flags RST on interface VLAN1300

%FWSM-6-302013: Built outbound TCP connection 145842752990351300 for VLAN300 :10.10.10.10/47015 (10.26.34.10/47015) to VLAN1300 :10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145842752990351300 for VLAN300 :10.10.10.10/47015 to VLAN1300 :10.26.34.20/6

%FWSM-6-302013: Built outbound TCP connection 145842752990351301 for VLAN300 :10.10.10.10/47015 (10.26.34.10/47015) to VLAN1300 :10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145842752990351301 for VLAN300 :10.10.10.10/47015 to VLAN1300 :10.26.34.20/6

Re: Cannot connect using NATTED IP

Marwan ALshawi — Mon, 13 Oct 2008 06:28:03 GMT

do u have permit statment on the FWSM interfaces

because fwsm has deny all on all interfaces not like

ASA make sure u have the right ACLs that permit the traffic

and as long as u can ping end to end ur routing looks ok

but if u can post the FWSM and MSFC config will be easier

good luck

Re: Cannot connect using NATTED IP

griever060684 — Mon, 13 Oct 2008 07:20:55 GMT

hi. I cannot ping from end to end, but if im from the firewall context, I can ping both servers. 10.10.10.10 and 10.26.34.20.

i am attaching config of fw context and a protion of the router config.

hope this helps.

Re: Cannot connect using NATTED IP

Marwan ALshawi — Mon, 13 Oct 2008 08:03:20 GMT

ok on the edge u mean MSFC

do u have and SVI interface

for example lets say the interface connected to core router is in vlan 1331

give it and ip address make L3 interface and put the interface connected to core router in this vlan for example

interface vlan 1311

ip address 13.13.13.13 255.255.255.0

no shut

now u need and SVI for vlan 300 and this will used to route traffic to 10.10.10.10 server

for example in MSFC

interface vlan 300

ip address 10.133.2.41 255.255.255.252

no shut

now lets say the core router directly connected interface as we said in vlan 1311

lets say 13.13.13.1

now make static route to 10.10.10.10

ip route 10.10.10.10 255.255.255.255 13.13.13.1

now on the FWSM

route vlan300 10.10.10.10 255.255.255.255 10.133.2.41

10.133.2.41 represent the vlan300 SVI we just created

try the above carefully then let me know

some times for nating u need to do

clear conn

clear xlate

good luck

Re: Cannot connect using NATTED IP

griever060684 — Mon, 13 Oct 2008 09:22:04 GMT

Hi,

I have already carried it out and I am able to see hits on the Firewall logs, however, I am still unable to PING the server. I have a good route since I am already able to translate 10.10.10.10 to 10.26.34.10.

I can ping the two server IF i am on the Firewall COntext.

I am getting these on the FIREWALL LOGs

%FWSM-6-305009: Built static translation from VLAN300:10.10.10.10 to VLAN1300:10.26.34.10

%FWSM-6-302020: Built outbound ICMP connection for faddr 10.26.34.20/33539 gaddr 10.26.34.10/33539 laddr 10.10.10.10/8

%FWSM-6-302020: Built outbound ICMP connection for faddr 10.26.34.20/17533 gaddr 10.26.34.10/17533 laddr 10.10.10.10/8

%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/33539 gaddr 10.26.34.10/33539 laddr 10.10.10.10/8

%FWSM-6-302021: Teardown ICMP connection for faddr 10.26.34.20/17533 gaddr 10.26.34.10/17533 laddr 10.10.10.10/8

%FWSM-6-302013: Built outbound TCP connection 145843191077015439 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145843191077015439 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 324 Conn-timeout

%FWSM-6-302013: Built outbound TCP connection 145843191077015440 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145843191077015440 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout

%FWSM-6-302013: Built outbound TCP connection 145843191077015441 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145843191077015441 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout

%FWSM-6-302013: Built outbound TCP connection 145843191077015442 for VLAN300:10.10.10.10/47026 (10.26.34.10/47026) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145843191077015442 for VLAN300:10.10.10.10/47026 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout

%FWSM-6-302013: Built outbound TCP connection 145843191077015443 for VLAN300:10.10.10.10/47027 (10.26.34.10/47027) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47026 flags SYN ACK on interface VLAN1300

%FWSM-6-106015: Deny TCP (no connection) from 10.26.34.20/6034 to 10.26.34.10/47026 flags RST on interface VLAN1300

%FWSM-6-302014: Teardown TCP connection 145843191077015443 for VLAN300:10.10.10.10/47027 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 324 Conn-timeout

%FWSM-6-302013: Built outbound TCP connection 145843191077015444 for VLAN300:10.10.10.10/47027 (10.26.34.10/47027) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)

%FWSM-6-302014: Teardown TCP connection 145843191077015444 for VLAN300:10.10.10.10/47027 to VLAN1300:10.26.34.20/6034 duration 0:00:20 bytes 230 Conn-timeout

%FWSM-6-302013: Built outbound TCP connection 145843191077015445 for VLAN300:10.10.10.10/47027 (10.26.34.10/47027) to VLAN1300:10.26.34.20/6034 (10.26.34.20/6034)

SHE-FW01# ping 10.26.34.20

Sending 5, 100-byte ICMP Echos to 10.26.34.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

SHE-FW01# ping 10.10.10.10

Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms