05-04-2009 07:43 AM - edited 03-11-2019 08:27 AM
OK, here is my scenario: I have one internal client which must be accessed externally, so I have setup an external address. Now we have several remote sites, this particular server resides in our North Carolina office. The site has its own internet connection, however prior to installing this internet connection all internet traffic was routed to our PA Office.
The problem: When I access the internal client over the internet it successfully traverse the firewall in North Carolina, however since internal routers used to point to PA for internet access, the traffic does not go back out our North Carolina firewall, instead it is routed to PA. At which point the firewall in PA drops the packets.
How can I ensure that external traffic reaching the internal client goes back out the same NC firewall instead of being routed to PA?
Can I somehow NAT to the inside interface of the NC Firewall so that when the traffic returns it s routed to the same firewall it came in on? Attached is an image so that it is easier to understand. The image may be simplistic, but the gist of what I am explaining is portrayed.
05-04-2009 08:33 AM
I'm assuming that the default gateway on the host is the router's address? You may try changing the gateway to be the firewall, or create a route-map on the router that forces all of this host's traffic out of the firewall.
What kind of firewall and router is this?
HTH,
John
05-04-2009 10:01 AM
Yes, that is correct. I do not have access to the router config to make any changes, but my Network admin has told me that I can NAT to the inside interface of the firewall this way traffic will flow back out through the same firewall.
The Firewall is PIX v6, the router is also a Cisco router.
05-04-2009 04:13 PM
Try this config, you will need to test as i have never used policy NAT outside to inside -
Public address of internal client = 195.17.17.10
access-list NATIN permit ip any host 195.17.17.10
Note you can lock down the above acl to TCP/UDP ports rather than general IP.
nat (outside) 2 access-list NATIN outside
global (inside) 2 interface
This should translate the source IP address of all incoming traffic to the inside interface of the pix so when the traffic is sent back from the internal client it is sent to the firewall.
Like i say i have used this config but not with an access-list, so you need to test.
Jon
05-05-2009 04:04 AM
I totally forgot about this, we also have a DMZ on this NC firewall, how will this affect our DMZ traffic?
05-05-2009 04:15 AM
OK, I was able to test this Config, and it worked, I was able to get to the inside client and the traffic went back out the same firewall. However, my concern is now the DMZ traffic, because once I added this Config on my test firewall and then checked access to the DMZ servers it timed-out. Which makes sense to me since now the external address is being translated to the inside firewall interface.
You mentioned that you used the Config before, but not with an access-list, is there a way to use the Config for say a single external address instead of a full access-list?
05-05-2009 09:14 AM
Roberto
"Which makes sense to me since now the external address is being translated to the inside firewall interface."
Doesn't make sense to me because the external addresses should only be translated to the inside interface address when the destination address is 195.17.17.10. Perhaps this is a limitation of outside/inside dynamic NAT.
"is there a way to use the Config for say a single external address instead of a full access-list? "
Not really unless the single external address only ever tries to access 195.17.17.10 otherwise you need to use an acl so that the external address only gets translated when it goes to 195.17.17.10 so your back to the original issue with the config.
It's unclear why DMZ traffic is timing out. With the config i supplied when traffic comes in for 195.17.17.10 the firewall should translate any source IP to the inside interface address.
This assumes 195.17.17.10 is reachable via the inside interface either
1) because that is it's real address
OR
2) the inside device has a private address and you are Natting to 195.17.17.10 eg.
static (inside,outside) 195.17.17.10 192.168.5.10 netmask 255.255.255.255
either way traffic going to the DMZ should not be affected.
Perhaps you could post config. Unfortunately i don't have a pix handy to test with.
Jon
05-06-2009 05:27 AM
Actually, while your config works for the one client I need, not only does it affect other DMZ traffic; it also affects outgoing internet traffic(?).
But I am little confused because you said in the one post, "This should translate the source IP address of all incoming traffic to the inside of the pix" is it really matching it up to make sure it is only intended for 195.17.17.10 (of course I used my real external, not your example)or is it doing just as you setup in the config and translating all incoming traffic regardless of where it is going on the inside?
05-06-2009 06:50 AM
"or is it doing just as you setup in the config and translating all incoming traffic regardless of where it is going on the inside ?"
Well that's what the access-list is for. So
nat (outside) 2 0.0.0.0 0.0.0.0 outside
global (inside) 2 interface
the above would translate all incoming source IP addresses to the inside interface ip of the pix providing that the destination IP address was reachable via the inside interface.
the original config i supplied -
access-list NATIN permit ip any host 195.17.17.10
Note you can lock down the above acl to TCP/UDP ports rather than general IP.
nat (outside) 2 access-list NATIN outside
global (inside) 2 interface
should translate all incoming source IP addresses to the inside interface ip of the pix only if the destination is 195.17.17.10. Note the same proviso as above ie. this NAT will only take place if the destination is reachable via the inside interface.
Perhaps you have conflicting NAT setups. Did you "clear xlate" after entering the config ?
Could you post your config ?
Jon
05-06-2009 07:18 AM
05-06-2009 08:45 AM
Roberto
Could you also post
1) the config you added on my suggestion as i assume you have removed it from the config you posted
2) the external IP and the Natted IP that Internet clients are connecting to ?
Jon
05-06-2009 10:16 AM
I added the config in two different ways:
I used the following:
access-list acl_OUT ip any host 19x.xxx.xxx.161
nat (outside) 1 access-list acl_OUT outside
global (inside) 1 interface
and
access-list NATIN ip any host 19x.xxx.xxx.161
nat (outside) 1 access-list NATIN outside
global (inside) 1 interface
No matter what I tried, although I could access the internal client, it would affect outgoing internet traffic and external traffic headed for the DMZ.
2) the external IP and the Natted IP that Internet clients are connecting to ?
The external IP would be 19x.xxx.xxx.161 the internal IP would be 192.168.180.46.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide