09-17-2008 03:14 PM - edited 03-11-2019 06:45 AM
Hi,
Can advice what is the problem with this configuration. I am trying to nat an external IP from the internet with another IP on the firewall.
Here's the configuration
access-list vpn permit ip host 202.2.2.2 host 203.1.1.1
access-list nonat permit ip any any
nat (outside) 0 access-list nonat outside 0 0
nat (outside) 1 access-list vpn outside 0 0
global (inside) 1 203.3.3.3 netmask 255.255.255.240
TIA
PF
09-17-2008 03:26 PM
Hi ..
I am not too sure what you are trying to achieve .. If you want to do a one to one mapping and allow inbound traffic from the internet then you need something like this ..
static (inside,outside)
access-list outside-in permit
access-group outside-in in interface outside
Where:
Global IP address: is the address you want the Internet users to connect to.
Local IP address: Is the real address used on the server's NIC
The above lines will allow inbound access from the Internet to the Global IP address using the required ports.
I hope it helps .. please rate helpful posts
09-17-2008 03:39 PM
Fernando,
What you have is natting an outbound IP Address to another IP Address as it traverses from inside to outside.
What I wanted to do is to nat an inbound IP (from the internet) to an internal IP Address as the traffic comes in from the outside interface. Instead of using the actual IP, I want the IP to change to another IP as it traverse the network as permitted.
TIA.
PF
09-18-2008 12:14 AM
Hello Poh-Fun,
nat (outside) 0 access-list nonat outside 0 0
With the command above, you tell the router not to nat any traffic as it traverses from outside to inside. It is "any" traffic, so your desired traffic will never ever reach the "nat (outside) 1 access-list vpn outside 0 0" and get translated. Remove the "nat (outside) 0 access-list nonat outside 0 0 " command, and use /32 subnetmask in global statement.
Regards
global (inside) 1 203.3.3.3 netmask 255.255.255.240
09-18-2008 05:40 PM
Husy,
Thanks very much for your reply. If I remove the statement nat (outside) 0 access-list nonat outside 0 0, other outside users will not be able to access the inside network.
Will it make a difference if I have
nat (outside) 0 0.0.0.0 0.0.0.0 outside in replace of nat (outside) 0 access-list nonat outside ?
TIA
PF
09-19-2008 03:20 AM
Poh-Fun,
Hmm, try adding the following statement in the first line! of nonat ACL
access-list nonat line 1 deny ip host 202.2.2.2 host 203.1.1.1
09-21-2008 02:53 PM
Husy,
I have tried that before and it makes no difference. Removing the statement of nat (outside) 0 ... for some reason worked once for some websites. So I removed the statement and renter it again and it didn't work at all... external users cannot access anything on the internal except for the IP I have translated.
I have something similar on the PIX firewall (the above problem was a FWSM) and it works. Here's the config
PIX# sh run | inc nat
nat (outside) 0 access-list nonat outside
nat (outside) 1 access-list vpn outside 0 0
PIX# sh run | inc global
global (inside) 1 192.168.17.9
PIX# sh access-list nonat
access-list nonat; 18 elements
access-list nonat line 1 permit ip any host 202.n.n.150 (hitcnt=53004045)
access-list nonat line 2 permit ip any host 202.n.n.152 (hitcnt=16913986)
access-list nonat line 3 permit ip any host 202.n.n.159 (hitcnt=2182759)
access-list nonat line 4 permit ip any host 202.n.n.160 (hitcnt=43935)
access-list nonat line 5 permit ip any host 202.n.n.161 (hitcnt=5868)
access-list nonat line 6 permit ip any host 202.n.n.163 (hitcnt=3024526)
access-list nonat line 7 permit ip any host 202.n.n.164 (hitcnt=16284)
access-list nonat line 8 permit ip any host 202.n.n.166 (hitcnt=348659)
access-list nonat line 9 permit ip any host 202.n.n.167 (hitcnt=9113)
access-list nonat line 10 permit ip any host 202.n.n.168 (hitcnt=3152444)
access-list nonat line 11 permit ip any host 202.n.n.169 (hitcnt=271793)
access-list nonat line 12 permit ip any host 202.n.n.171 (hitcnt=46280)
access-list nonat line 13 permit ip any host 202.n.n.172 (hitcnt=105019)
access-list nonat line 14 permit ip any host 202.n.n.174 (hitcnt=54859603)
access-list nonat line 15 permit ip any host 202.n.n.179 (hitcnt=0)
access-list nonat line 16 permit ip any host 202.n.n.180 (hitcnt=17722)
access-list nonat line 17 permit ip any host 202.n.n.170 (hitcnt=168883)
access-list nonat line 18 permit ip any host 202.n.n.156 (hitcnt=0)
PIX# sh access-list vpn
access-list vpn; 1 elements
access-list vpn line 1 permit ip any host 202.n.n.133 (hitcnt=264110)
TIA.
PF
09-25-2008 05:25 PM
I actually coouldnt understand the external users part. Can you explain this a little more? Where is the firewall located?
09-25-2008 07:55 PM
Husy,
This firewall is to protect the corp network from the internet. We have a client with an external IP when accessing xxx aplication comes in via yyy link into our network. However, when they wanted to use VPN they directed this external IP to come in via our internet link. In order words, depending on application, the external IP will come in from different link.
We have a static route specifically to route this external IP to the yyy link, hence VPN will never work. My idea was to translate this external IP to another IP xxx when it comes into the firewall before traversing the network. With the natted IP xxx, we should not have to worry about the external IP being routed to yyy.
TIA
PF
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide