Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
4
Replies

NAT doesn't work when request coming from inside

Go to solution
mobipay_cisco
Level 1
Level 1

‎07-14-2013 08:48 AM - edited ‎03-11-2019 07:11 PM

Hi All,

Could really use some help configuring my ISA570W for NAT configuration.

Here's what I've done so far from the web UI:

1. Created 3 VLANs

     - VLAN10, 192.168.1.1/24, DHCP enabled, LAN zone

     - VLAN20, 192.169.1.1/24, DHCP disabled, LAN zone

     - VLAN30, 192.170.1.1/24, DHCP disabled, DMZ zone

2. Assigned GE2 to VLAN10, VLAN20, DEFAULT as trunk and connect it to Catalyst 2950 switch

3. Assigned GE6-9 to VLAN30, and left the rest of the GE to DEFAULT VLAN.

4. Created a static NAT from WAN 202.72.X.X to private IP in VLAN30, 192.170.1.2

5. Created an ACL entry to permit access from zone WAN to DMZ, any source, any service

6. Created an ACL entry to permit access from zone LAN to DMZ, any source, any service

7. Created an ACL entry to permit access from zone DMZ to LAN, any source, any service

Now, if I try accessing 202.72.X.X from my cellphone modem, works great, the packets are received OK by the private IP server (192.170.1.2)

But, if I try accessing 202.72.X.X from my laptop connected to VLAN10 or VLAN20, the packets only goes as far as the firewall, they never reached the private IP server. Tried PING, but it was answered by the ISA570W, not by my private IP server.

What am I missing ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mobipay_cisco

‎07-26-2013 10:43 AM

Hello Admin,

Glad to see that I could help,

Please mark the question as answered

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-14-2013 06:17 PM

Hello ,

The NAT statement is from vlan 30 to WAN

In this case you are trying to access it from Vlan 10 and 20, so

1- You will need to access the box via the Private IP address

or

2- Create a NAT from vlan 30 to vlan 10 and 20,

Do u follow me?

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mobipay_cisco
Level 1
Level 1
In response to Julio Carvajal

‎07-26-2013 09:25 AM

Hi Julio,

First off, thanks for answering my inquiry.

But, I need your help again for option-2. Create a NAT from vlan 30 to vlan 10 and 20.

How do I do that ? Which menu is it from the web UI ? Is it static NAT or Advanced NAT

I think static NAT only allows source from WAN only.

thanks again

Lutfi

0 Helpful

Go to solution
mobipay_cisco
Level 1
Level 1
In response to mobipay_cisco

‎07-26-2013 10:34 AM

Found the answer here :

http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/nat/isa500_NAT_appnote.pdf

I need to make a NAT Hairpinning (loopback) to allow inside host to access my server using it's public IP (202.72.x.x)

Thanks Julio for the input

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mobipay_cisco

‎07-26-2013 10:43 AM

Hello Admin,

Glad to see that I could help,

Please mark the question as answered

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card