FPR1010 FDM NAT / Policy (not working) - Page 4

TheGoob · ‎04-22-2022

Hello

So I am having some issues deploying NAT...

My FPR1010 has a WAN (outside) IP 207.108.121.X which has a LAN (inside) 192.168.1.0.

I have NAT on INSIDE for an Internal Network (connected to a SG550) which is 192.168.5.1-192.168.5.55

The 192.168.1.0 (LAN/INSIDE) on FPR1010 has a static IP on SG550 GE1/1 of 192.168.1.2 and the SG 192.168.5.1-192.168.5.55 uses that for a PBR to access Internet, so everything 192.168.5.1-192.168.5.55 communicates with FPR via 192.168.1.2. Why PBR? Cause 192.168.5.56-192.168.5.100 uses different PBR for it's WAN.

Most of this is irrelevant My issue is that a device on 192.168.5.43 (using 192.168.1.2 to access Internet which uses 207.108.121.x for WAN) has an SSH Port 66. I want any device on "outside" to be able to come in and on Port 66 be directed to that 192.168.5.43 Device.

I created a NAT "outside any 66 inside 192.168.5.43 66" as well as a Policy allowing incoming from outside to 192.168.5.43 port 66 but I keep getting a rejection when trying to access it from outside.

I am clearly missing something and for now have no config to show you but maybe these words and description can start a narrative.

I am hoping to not get involved with why PBR, why internal 192.168.5.0 when I have 192.168.1.0 etc. Everything else works fine, I just need this to work.

MHM Cisco World · ‎04-30-2022

Traffic come from ftd

How sg return it back to ftd?

Which path retrun traffic will take?

TheGoob · ‎04-30-2022

I suppose that is a good question.. Everything on 192.168.5.0, which uses 0.0.0.0 0.0.0.0 192.168.1.2 to reach the Internet, clearly hits the FPR as they all get on the internet, but that is "outgoing".

I guess I assumed the SG had a path back to the FTD via 192.168.1.2, which is part of the 192.168.1.0 Network the FTD uses for it's inside interfaces, which uses x.x.x.182.

Or am I wrong?

MHM Cisco World · ‎05-01-2022

You meaning that the SG host is get internet via FTD ? so the default route is OK.?

TheGoob · ‎05-01-2022

I mean, it works cause I can indeed connect to the internet on any 192.168.5.0, and any 192.168.5.0 can communicate with each other. But it does not work in terms of accessing SSH IN via OUTSIDE (FTD).

For whatever reason I can not get it to work, as we have tried everything. I am fine with that.

TheGoob · ‎05-03-2022

I was wondering something.

As I mentioned I have 6 usable static wan (internet) IP’s and have STATIC NAT for some of them. I am able to SSH in on Port 66 to x.x.x.180 which is NAT to 192.168.5.55. I feel with this static NAT I am bypassing the 192.168.1.0 (FPR1010 INSIDE Network).

Could I be having this issue because in this case my Outside Client is connecting to x.x.x.182 which connects to 192.168.1.0 (192.168.1.2 on SG) and then 192.168.5.43 (SSH Server) as opposed to the x.x.x.180 which has its own Outside (Internet IP) whereas 192.168.5.43 is part of the FPR 192.168.1.0 Network?

It seems maybe there is one more step for the SSH I am trying to connect to here.
Doesn’t x.x.x.182 translate to 192.168.1.2 which translates to 192.168.5.43? Doesn’t that require another or more advanced NAT than the simple 1 to 1 x.x.x.180 to 192.168.5.55 NAT, that does work?

TheGoob · ‎05-07-2022

I built best my interpretation of my system. Maybe it will shed some light?

TheGoob · ‎05-16-2022

Any new onlookers possibly able to continue in assisting me with my dilemma?