FPR1010 FDM NAT / Policy (not working) - Page 2

TheGoob · ‎04-22-2022

Hello

So I am having some issues deploying NAT...

My FPR1010 has a WAN (outside) IP 207.108.121.X which has a LAN (inside) 192.168.1.0.

I have NAT on INSIDE for an Internal Network (connected to a SG550) which is 192.168.5.1-192.168.5.55

The 192.168.1.0 (LAN/INSIDE) on FPR1010 has a static IP on SG550 GE1/1 of 192.168.1.2 and the SG 192.168.5.1-192.168.5.55 uses that for a PBR to access Internet, so everything 192.168.5.1-192.168.5.55 communicates with FPR via 192.168.1.2. Why PBR? Cause 192.168.5.56-192.168.5.100 uses different PBR for it's WAN.

Most of this is irrelevant My issue is that a device on 192.168.5.43 (using 192.168.1.2 to access Internet which uses 207.108.121.x for WAN) has an SSH Port 66. I want any device on "outside" to be able to come in and on Port 66 be directed to that 192.168.5.43 Device.

I created a NAT "outside any 66 inside 192.168.5.43 66" as well as a Policy allowing incoming from outside to 192.168.5.43 port 66 but I keep getting a rejection when trying to access it from outside.

I am clearly missing something and for now have no config to show you but maybe these words and description can start a narrative.

I am hoping to not get involved with why PBR, why internal 192.168.5.0 when I have 192.168.1.0 etc. Everything else works fine, I just need this to work.

TheGoob · ‎04-27-2022

Nothing. I. Do. Works.

So maybe a 2nd grade picture will make sense. Maybe?

MHM Cisco World · ‎04-28-2022

Sorry I was busy until today I see your NAT screenshot,
first the NAT must be
1-interface Inside Outside using reserve direction i.e. outside inside is not prefer
2-Source will NAT only the IP not Port
3-destaioantin is any for all real and mapped and for port.

For types

TheGoob · ‎04-28-2022

Hello

Everything you are saying makes sense but unless I am unknowingly and unintentionally not understanding what your saying, this is what I have done and it does not work.

My NAT is;

6 OMVSSH

STATIC

inside_2 outside

omv

Any

Interface

Any

Also, this is set for 'before auto rules' and is Manual NAT

My access control is this;

omvssh allow outside_zone any any inside_zone omv 66 any any any

MHM Cisco World · ‎04-28-2022

ACL Config

NAT config

Change both ACL & NAT not only NAT

TheGoob · ‎04-28-2022

I believe I am doing as requested but I still get no connection... Here are my current and exact NAT and ACCESS_CONTROL

I have added as an attachment as well.

MHM Cisco World · ‎04-28-2022

only share the last NAT and ACL for this traffic "after do change".

TheGoob · ‎04-28-2022

MHM Cisco World · ‎04-28-2022

NAT is perfect now only change ACL as mention before.

TheGoob · ‎04-28-2022

I Thought it was as you said

MHM Cisco World · ‎04-28-2022

share the ACL screenshot

TheGoob · ‎04-28-2022

MHM Cisco World · ‎04-28-2022

perfect do you try access now from out to in?

TheGoob · ‎04-28-2022

Yes. On my Laptop which is connected to my iphone hotspot I SSH in and I get 'can not connect to x.x.x.182'.

The server is up as I can connect one PC to the Sever on same LAN, which really doesn't say much aside the ssh being active.

MHM Cisco World · ‎04-28-2022

in win tcping Server-IP port
this how we check if the port is open or not, please notice the port here is 66 as we mention in both ACL and NAT.

ONE LAST THING, when SSH from outside do you use port 66 or use known port 22??

TheGoob · ‎04-28-2022

Well I know nothing about TCPING

but when I connect to it it is successful

ssh 192.168.5.43 -p66
The authenticity of host '[192.168.5.43]:66 ([192.168.5.43]:66)' can't be established.
ECDSA key fingerprint is SHA256:2H+frXfxOpOt8ffQ5OEAwg/As8hpZ/xDpZdLELR3ONM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.5.43]:66' (ECDSA) to the list of known hosts.
mjmal@192.168.5.43's password: