cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3348
Views
6
Helpful
16
Replies

Confused about NAT [Auto Vs. Manual] and Static vs. Dynamic

TheGoob
VIP
VIP

Hi

So I am just confused over the concepts, and google is not helping. It recites specifics, but nothing that explains.

So, for example. I have several WAN IPs and several LAN Networks [vlans] and will just be dealing with one.

First, I made a MANUAL Dynamic NAT; x.x.x.180 [WAN IP] to 192.168.1.0 [LAN Network] - - To me, that means associate ANY LAN IP 192.168.1.0/24 with WAN IP x.x.x.180. This works, no matter what IP on the 1.x LAN grabs the correct WAN IP.

Second, I make ACL's allowing for Incoming [WAN to LAN] access: Allow incoming from outside to inside 192.168.1.180 Port 25.

Still did not work. So then I made another manual NAT but static x.x.x.180 to 192.168.1.180. [I did not specify] ports.

 

Now it works, incoming and outgoing mail. But works does not mean works right. How does a NON PORT SPECIFIC 2nd Static NAT make it work? The NAT isn't saying anything about email port 25, so how does it know??

1 Accepted Solution

Accepted Solutions

TheGoob
VIP
VIP

Oh for the love of!!!

First of all, I rarely run firewall specifics on this type of server as only 2 ports open and ruled by the Cisco FPR but it just occurred to me several months back I fussed around with it and sure enough, 80 was blocked. I unblocked it and bam, Works.

How embarrassing.

View solution in original post

16 Replies 16


First, I made a MANUAL Dynamic NAT; x.x.x.180 [WAN IP] to 192.168.1.0 [LAN Network] - - To me, that means associate ANY LAN IP 192.168.1.0/24 with WAN IP x.x.x.180. This works, no matter what IP on the 1.x LAN grabs the correct WAN IP.

This NAT is for the IP addresses on the inside LAN to be translated to the outside in a public IP - x.x.x.180

Second, I make ACL's allowing for Incoming [WAN to LAN] access: Allow incoming from outside to inside 192.168.1.180 Port 25.

The ACL is basically for inspecting traffic.

Still did not work. So then I made another manual NAT but static x.x.x.180 to 192.168.1.180. [I did not specify] ports.

 

This NAT is needed in order to permit outside traffic from the originating mail server to be translated to the real server IP - 192.168.1.180

Now it works, incoming and outgoing mail. But works does not mean works right. How does a NON PORT SPECIFIC 2nd Static NAT make it work? The NAT isn't saying anything about email port 25, so how does it know??


The "NON PORT SPECIFIC 2nd Static NAT" translates ALL ports for the specified IP address.

Regards, LG
*** Please Rate All Helpful Responses ***

That all makes more sense… Would it be wise to indeed make them port specific? Or does it not matter as I do not have ACL’s permitting ports other than what I want anyway. 

It's always a good idea to be very specific when it comes to firewall configuration. For that matter, I always configure as specific as possible the NAT and the ACL's.

Regards, LG
*** Please Rate All Helpful Responses ***

Not to sound redundant, but do I need to make a NAT entry for any incoming port access alongside an ACL.

So, if I am doing 25, 443 and 80, do I make 3 NAT's?

Yes, you do have to configure 3 NAT entries, one for each port you intend to use - 25, 443, 80.

Regards, LG
*** Please Rate All Helpful Responses ***

Hi

Then I am doing something wrong.

I made a NAT entry for Port 80 and created an ACL for Port 80...NAT is a MANUAL NAT, Above the default NAT.

But when I do Letsencrypt [certificate maker] I get this error



Fetching http://mail.fbeye.org/.well-known/acme-challenge/IU4TxWtsgccFG7iQS3HMBqWAybIsQpmd9zLm-7oWrJU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

I can see that port 25 is opened on mail.fbeye.org, but port 80 and 443 is not.

What is the difference between port 25 NAT config and port 80 NAT config?

Regards, LG
*** Please Rate All Helpful Responses ***

Well this is what I am trying to figure out.

25 is for my incoming mail, 80 is for incoming letscencrypt certificate authentication.. 443 for now is just open. Here are the nat/acl for the 80

Can I see the NAT screenshot for port 25 as well please.

Regards, LG
*** Please Rate All Helpful Responses ***

Yes, but right now I do not have anything specific, just a STATIC Manual NAT as such [which i guess could be my problem because it may be overruling the 80] now that I think about it.

The NAT rule "fbeye_mail" is not restricted to any ports - it translates all ports on object group "fbeye_mail" to object group "fbeye_WAN". 

What is NAT rule "fbeye_Networks"?

Regards, LG
*** Please Rate All Helpful Responses ***

So, starting from beginning.

I have a NAT, Dynamic rule associating ALL [LAN] 192.168.1.0/24 to [WAN] x.x.x.180

I then want to allow access [incoming] from 80 and 25, so I create two NEW NAT rules STATIC above the default NAT Rule. That is where I am at.

1.) associating LAN Network with WAN IP [reason for this is i simply want any IP on the 1.0 network to have the .180 WAN IP by          default]

2.) creating incoming 25 rule and

3.) creating incoming 80 rule... ALL on WAN x.x.x.182 to LAN [Specific] 192.168.1.180

 

fbeye_network = 192.168.1.0/24

fbeye_mail = 192.168.1.180

fbeye_WAN = x.x.x.180 WAN IP

What other ACL rules do you have? Do you have an ACL rule permitting traffic from source interface "vlan2" to destination interface "outside"?

Regards, LG
*** Please Rate All Helpful Responses ***

Hmmm, that I do not.. I do not have any specific "outgoing" only the default 'inside to outside' in which fbeye/vlan2 is associated with inside.