https://community.cisco.com/t5/network-security/static-nat/m-p/913742#M941909 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Always u r response very helpfull for me.Thanks again and again.So As per my senario i require 2 public ip's to do Nat in firewall(1 firewall interface and 1 for Static Nat)..But i have one free ip only..So i did Static Nat in router level itself..Let me explain my problem</P><P></P><P> My firewall is in Data center(DC)..Webserver is in branch as i said in the diagram.If i place in the webserver in DC i can access from outside..but if i place the webserver in branch(R3 router) i m unable to access from outside(getting connections in firewall(saAB))..I think some routing issue..As per current setup we have route in router to connect DC network.I think we have to add route in router like the request from internet need to go to outside(Kindly let me know the route)..Provide me ur valuable information</P><P></P><P> </P></BODY></HTML> Mon, 25 Feb 2008 06:19:41 GMT sureshkumar 2008-02-25T06:19:41Z https://community.cisco.com/t5/network-security/static-nat/m-p/913740#M941907 <P>Hi,</P><P></P><P> ISP--R1--Firewall--R2--R3--Pc(webserver)</P><P></P><P> ISP is terminated in the R1 router.To provide internet for users, Dynamic NATing are given in the rotuer(R1) level itself.R1 F0 ip is primary public ip and Secondary ip is private ip which is terminated in the Firewall interface(Private ip)..Now i need to privide Static Nat for my webserver.Is it possible to do it in Firewall..I think we can't....i have to do only in the router..</P> Mon, 11 Mar 2019 12:07:36 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913740#M941907 sureshkumar 2019-03-11T12:07:36Z https://community.cisco.com/t5/network-security/static-nat/m-p/913741#M941908 <HTML><HEAD></HEAD><BODY><P>well the public ip address would be translated on router to firewall interface ip/or any other free ip from that pool and then on firewall we need</P><P></P><P>static (inside,outside) tcp interface/ip 80 <REAL ip="" of="" server=""> 80</REAL></P><P></P><P>access-l abc permit tcp any host interface eq 80</P><P>access-g abc in interface outside</P></BODY></HTML> Sat, 23 Feb 2008 14:40:43 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913741#M941908 abinjola 2008-02-23T14:40:43Z https://community.cisco.com/t5/network-security/static-nat/m-p/913742#M941909 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Always u r response very helpfull for me.Thanks again and again.So As per my senario i require 2 public ip's to do Nat in firewall(1 firewall interface and 1 for Static Nat)..But i have one free ip only..So i did Static Nat in router level itself..Let me explain my problem</P><P></P><P> My firewall is in Data center(DC)..Webserver is in branch as i said in the diagram.If i place in the webserver in DC i can access from outside..but if i place the webserver in branch(R3 router) i m unable to access from outside(getting connections in firewall(saAB))..I think some routing issue..As per current setup we have route in router to connect DC network.I think we have to add route in router like the request from internet need to go to outside(Kindly let me know the route)..Provide me ur valuable information</P><P></P><P> </P></BODY></HTML> Mon, 25 Feb 2008 06:19:41 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913742#M941909 sureshkumar 2008-02-25T06:19:41Z https://community.cisco.com/t5/network-security/static-nat/m-p/913743#M941910 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Kindly provide me solution as soon.</P></BODY></HTML> Mon, 25 Feb 2008 13:14:17 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913743#M941910 sureshkumar 2008-02-25T13:14:17Z https://community.cisco.com/t5/network-security/static-nat/m-p/913744#M941911 <HTML><HEAD></HEAD><BODY><P>you don't need 2 free IPs..you can do static PAT using firewalls outside IP</P></BODY></HTML> Mon, 25 Feb 2008 14:52:04 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913744#M941911 abinjola 2008-02-25T14:52:04Z https://community.cisco.com/t5/network-security/static-nat/m-p/913745#M941912 <HTML><HEAD></HEAD><BODY><P>Thanks..As per now i can't change interface ip of firewall.so i did already in router..but unable to access from outside..some routing issues are there still..Can u plz help me out..</P></BODY></HTML> Mon, 25 Feb 2008 15:29:19 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913745#M941912 sureshkumar 2008-02-25T15:29:19Z https://community.cisco.com/t5/network-security/static-nat/m-p/913746#M941913 <HTML><HEAD></HEAD><BODY><P>to what ip address is router translating the request to ?</P><P>Give me the sh run static/sh static output, sh run access-group</P><P></P></BODY></HTML> Mon, 25 Feb 2008 15:36:54 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913746#M941913 abinjola 2008-02-25T15:36:54Z https://community.cisco.com/t5/network-security/static-nat/m-p/913747#M941914 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Pix Fw(535)--3 interface(inside, outside, branch)</P><P></P><P>3 Routers(R1,R2 and R3)</P><P></P><P>Webserver--in brach(R3)</P><P></P><P>In beteween R2 and R3---OSPF--Is there anything need to add?</P><P></P><P>R1--NAT, PAT and routes( Default towards Serial int, Network based towards Firewall Int)</P><P></P><P>Pix--(Acl from out to in, Default route towards outside, network routes towards branch and inside, nonat for translation in higher Security interface)</P><P></P><P>If i access from outside to webserver i m finding conn in firewall( conn status : saAB)..Even i m finding the outsid world ip in my webserver log also..Some return traffic flow is not happening..</P><P></P></BODY></HTML> Tue, 26 Feb 2008 07:34:18 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913747#M941914 sureshkumar 2008-02-26T07:34:18Z https://community.cisco.com/t5/network-security/static-nat/m-p/913748#M941915 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In R1</P><P>#sh run | incl static</P><P>Ip nat outside static 172.x.x.x 203.x.x.x</P><P></P><P>Rest of the things unable to do. </P></BODY></HTML> Tue, 26 Feb 2008 12:16:18 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913748#M941915 sureshkumar 2008-02-26T12:16:18Z https://community.cisco.com/t5/network-security/static-nat/m-p/913749#M941918 <HTML><HEAD></HEAD><BODY><P>Suresh..as a test allow icmp through the firewall and ping the web server, also can you ping the webserver from the firewall..?</P><P></P><P>Can you tell me the real ip address of the web server ? if possible post your config here</P></BODY></HTML> Tue, 26 Feb 2008 12:54:32 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913749#M941918 abinjola 2008-02-26T12:54:32Z https://community.cisco.com/t5/network-security/static-nat/m-p/913750#M941921 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..</P><P></P><P>TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB</P><P>TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB</P><P>TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB</P><P></P><P>I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....</P><P></P><P> </P><P></P></BODY></HTML> Tue, 26 Feb 2008 14:31:59 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913750#M941921 sureshkumar 2008-02-26T14:31:59Z https://community.cisco.com/t5/network-security/static-nat/m-p/913751#M941925 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>kindly ignore the previous post..attachment is not there</P><P></P><P>Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..</P><P></P><P>TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB</P><P>TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB</P><P>TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB</P><P></P><P>I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....</P><P></P><P> </P><P></P><P></P><P><B>Attachment Keywords : </B> </P><P></P></BODY></HTML> Tue, 26 Feb 2008 14:37:03 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913751#M941925 sureshkumar 2008-02-26T14:37:03Z https://community.cisco.com/t5/network-security/static-nat/m-p/913752#M941927 <HTML><HEAD></HEAD><BODY><P>config looks good...are we able to ping the webserver from the firewall ?</P><P>can you get me sh ip route from both r2 and r3 ?</P></BODY></HTML> Tue, 26 Feb 2008 15:59:11 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913752#M941927 abinjola 2008-02-26T15:59:11Z https://community.cisco.com/t5/network-security/static-nat/m-p/913753#M941928 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Unable to ping the webserver from firewall..</P><P>But i can ping R3 router from R1 and from R1 to R3...</P><P></P><P>Kindly find the atached file R2 ad R3...In R3 no static routes..as i said before OSPF..</P><P></P><P> </P><P></P></BODY></HTML> Wed, 27 Feb 2008 05:36:59 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913753#M941928 sureshkumar 2008-02-27T05:36:59Z https://community.cisco.com/t5/network-security/static-nat/m-p/913754#M941929 <HTML><HEAD></HEAD><BODY><P>from webserver can you ping R1..?</P><P>run debug icmp trace on firewall while you initiate a ping from webserver to R1 and 4.2.2.2 simultaneously</P></BODY></HTML> Wed, 27 Feb 2008 12:16:50 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913754#M941929 abinjola 2008-02-27T12:16:50Z https://community.cisco.com/t5/network-security/static-nat/m-p/913755#M941930 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes..I can...Is there any issues with the routes in router R1 and R2..</P></BODY></HTML> Wed, 27 Feb 2008 12:20:42 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913755#M941930 sureshkumar 2008-02-27T12:20:42Z https://community.cisco.com/t5/network-security/static-nat/m-p/913756#M941931 <HTML><HEAD></HEAD><BODY><P>hey Suresh..the connection detail TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB, clearly indicate that there was no return synack on the firewall back from web server, so either the issue is on WEBSERVER or R2 or R2 </P><P>Now from WEBserver are you able to ping 4.2.2.2 through the firewall ? do you see these ICMPs request and replies in debug icmp trace ?</P><P></P><P>I don't see a DG on R2..??how would R2 know where to send the return packet ...</P><P></P></BODY></HTML> Wed, 27 Feb 2008 12:28:19 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913756#M941931 abinjola 2008-02-27T12:28:19Z https://community.cisco.com/t5/network-security/static-nat/m-p/913757#M941933 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>After once added route in R2..we got the connectivity...Thanks for ur support..</P><P></P><P></P><P></P><P></P></BODY></HTML> Fri, 29 Feb 2008 10:41:14 GMT https://community.cisco.com/t5/network-security/static-nat/m-p/913757#M941933 sureshkumar 2008-02-29T10:41:14Z