04-22-2022 10:55 AM
Hello
So I am having some issues deploying NAT...
My FPR1010 has a WAN (outside) IP 207.108.121.X which has a LAN (inside) 192.168.1.0.
I have NAT on INSIDE for an Internal Network (connected to a SG550) which is 192.168.5.1-192.168.5.55
The 192.168.1.0 (LAN/INSIDE) on FPR1010 has a static IP on SG550 GE1/1 of 192.168.1.2 and the SG 192.168.5.1-192.168.5.55 uses that for a PBR to access Internet, so everything 192.168.5.1-192.168.5.55 communicates with FPR via 192.168.1.2. Why PBR? Cause 192.168.5.56-192.168.5.100 uses different PBR for it's WAN.
Most of this is irrelevant My issue is that a device on 192.168.5.43 (using 192.168.1.2 to access Internet which uses 207.108.121.x for WAN) has an SSH Port 66. I want any device on "outside" to be able to come in and on Port 66 be directed to that 192.168.5.43 Device.
I created a NAT "outside any 66 inside 192.168.5.43 66" as well as a Policy allowing incoming from outside to 192.168.5.43 port 66 but I keep getting a rejection when trying to access it from outside.
I am clearly missing something and for now have no config to show you but maybe these words and description can start a narrative.
I am hoping to not get involved with why PBR, why internal 192.168.5.0 when I have 192.168.1.0 etc. Everything else works fine, I just need this to work.
04-27-2022 06:51 PM
04-28-2022 08:51 AM
Sorry I was busy until today I see your NAT screenshot,
first the NAT must be
1-interface Inside Outside using reserve direction i.e. outside inside is not prefer
2-Source will NAT only the IP not Port
3-destaioantin is any for all real and mapped and for port.
For types
04-28-2022 11:11 AM
Hello
Everything you are saying makes sense but unless I am unknowingly and unintentionally not understanding what your saying, this is what I have done and it does not work.
My NAT is;
6 OMVSSH
STATIC | inside_2 outside | omv | Any | Any | Any | Interface | Any | Any | Any |
Also, this is set for 'before auto rules' and is Manual NAT
My access control is this;
omvssh allow outside_zone any any inside_zone omv 66 any any any
04-28-2022 12:25 PM - edited 04-28-2022 01:40 PM
ACL Config
NAT config
Change both ACL & NAT not only NAT
04-28-2022 01:30 PM
04-28-2022 02:17 PM
only share the last NAT and ACL for this traffic "after do change".
04-28-2022 02:23 PM
04-28-2022 02:40 PM
NAT is perfect now only change ACL as mention before.
04-28-2022 02:44 PM
I Thought it was as you said
04-28-2022 02:47 PM
share the ACL screenshot
04-28-2022 02:52 PM
04-28-2022 02:57 PM
perfect do you try access now from out to in?
04-28-2022 03:05 PM
Yes. On my Laptop which is connected to my iphone hotspot I SSH in and I get 'can not connect to x.x.x.182'.
The server is up as I can connect one PC to the Sever on same LAN, which really doesn't say much aside the ssh being active.
04-28-2022 03:24 PM - edited 04-28-2022 03:41 PM
in win tcping Server-IP port
this how we check if the port is open or not, please notice the port here is 66 as we mention in both ACL and NAT.
ONE LAST THING, when SSH from outside do you use port 66 or use known port 22??
04-28-2022 03:40 PM
Well I know nothing about TCPING
but when I connect to it it is successful
ssh 192.168.5.43 -p66
The authenticity of host '[192.168.5.43]:66 ([192.168.5.43]:66)' can't be established.
ECDSA key fingerprint is SHA256:2H+frXfxOpOt8ffQ5OEAwg/As8hpZ/xDpZdLELR3ONM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.5.43]:66' (ECDSA) to the list of known hosts.
mjmal@192.168.5.43's password:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide