08-26-2018 10:58 AM
I have a firewall box that sits between the 'WAN' port on a cisco 2811 and the main ISP line in to my building. The topology looks like:
ISP CONNECTION IN
↓
↓
UTM
↓
↓
CISCO ROUTER
My problem is logging on the UTM. It runs a dns filtering service that filters the network traffic for the site. Between the UTM and Router there is a class C subnet: 20.20.20.0/24. The utm has 20.20.20.1 and the router has 20.20.20.2. The cisco router has nat configured on it to allow 0.0.0.0. My problem is that when a client visits a blocked page the UTM logs this with the ip of the client. The problem I am having is that the client ip address is always 20.20.20.2 (The ip of the WAN on the router) and not the ip of the actual client.
How can i get the firewall to see the actual client ip? Ive ruled it down to NAT on the router but have no idea on how to configure it. Please could someone explain what I need to do?
08-26-2018 11:01 AM
Hello,
post the full configuration of your Cisco router. You probably have NAT configured to translate everything to the interface address that is connected to the UTM...
08-26-2018 11:08 AM
@Georg Pauwen wrote:
Hello,
post the full configuration of your Cisco router. You probably have NAT configured to translate everything to the interface address that is connected to the UTM...
Current configuration : 2295 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v1.site.isr
!
boot-start-marker
boot system usbflash0:c1841-advipservicesk9-mz.151-4.M3.bin
boot-end-marker
!
!
!
no aaa new-model
ip source-route
!
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
interface FastEthernet0/1
ip address 10.1.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 100
router-id 10.1.1.253
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
!
ip http server
ip nat inside source list 10 interface FastEthernet0/0/0 overload
ip nat inside source static 10.1.0.0 0.0.255.255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip access-list extended FILTER_VLAN30
permit ip 10.1.30.0 0.0.0.255 host 10.1.100.65
deny ip 10.1.30.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip any any
!
access-list 10 permit any
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
end
Thanks in advance!
08-26-2018 11:19 AM
Hello,
why do you have NAT configured at all on the Cisco router ? You are NATting a private address range to another private address. Is it an option to remove NAT altogether from the router ?
08-26-2018 11:40 AM - edited 08-26-2018 11:45 AM
@Georg Pauwen wrote:
Hello,
why do you have NAT configured at all on the Cisco router ? You are NATting a private address range to another private address. Is it an option to remove NAT altogether from the router ?
When I removed nat none of the traffic got out of the router. Please could you tell me how to remove it and still pass traffic?
08-26-2018 11:46 AM
What is the model/brand of your UTM ? You lose all connectivity because the UTM only knows about network 20.20.20.0/24.
08-26-2018 11:50 AM
@Georg Pauwen wrote:
What is the model/brand of your UTM ? You lose all connectivity because the UTM only knows about network 20.20.20.0/24.
This is without the UTM. Nothing gets to past the Cisco Router. Its a watchguard with pfsense on it. I have removed these config lines and i cant even ping the UTM:
ip nat inside - per interface
ip nat outside - per interface
ip nat inside source list 10 interface FastEthernet0/0/0 overload
ip nat inside source static 10.1.0.0 0.0.255.255
08-26-2018 11:53 AM
Hello,
your current default route is:
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Where and what is 192.168.0.1 ?
Try and change it to:
ip route 0.0.0.0 0.0.0.0 20.20.20.1
which basically directs all your traffic to the UTM.
08-26-2018 12:02 PM
@Georg Pauwen wrote:
Hello,
your current default route is:
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Where and what is 192.168.0.1 ?
Try and change it to:
ip route 0.0.0.0 0.0.0.0 20.20.20.1
which basically directs all your traffic to the UTM.
Ah, i have given you an outdated config, that was the old ip of the UTM. This was changed when we changed the subnet. Still no joy
08-26-2018 12:09 PM
The Watchguard doesn't have a route back to the 10.x.x.x network. Which Watchguard model do you have ? Try and get inside the Watchguard and configure a route to the 10.x.x.x network...
08-26-2018 12:10 PM - edited 08-26-2018 12:12 PM
@Georg Pauwen wrote:
The Watchguard doesn't have a route back to the 10.x.x.x network. Which Watchguard model do you have ? Try and get inside the Watchguard and configure a route to the 10.x.x.x network...
Its just pfsense? Do you know how i can do it on there?
When i remove the nat config the route can still ping 20.20.20.1 but nothing else on the network can, how can this be?
08-26-2018 12:16 PM
Hello,
the link below explains how to add a static route to pfsense. I am not sure if your model has the same or a similar GUI...
https://www.netgate.com/docs/pfsense/routing/static-routes.html
08-26-2018 12:17 PM
@Georg Pauwen wrote:
Hello,
the link below explains how to add a static route to pfsense. I am not sure if your model has the same or a similar GUI...
https://www.netgate.com/docs/pfsense/routing/static-routes.html
Without having NAT on the router I cannot even access pfsense though. How can I get having no nat working first?
08-26-2018 12:24 PM
Hello,
add NAT back to the router. You will need to access pfsense to check if you can access a static route. If so, you can test if it works by excluding an IP address from the 10.x.x.x range on your network so that it doesn't get NATted.
08-26-2018 12:29 PM - edited 08-26-2018 12:30 PM
@Georg Pauwen wrote:
Hello,
add NAT back to the router. You will need to access pfsense to check if you can access a static route. If so, you can test if it works by excluding an IP address from the 10.x.x.x range on your network so that it doesn't get NATted.
I added a static route for 10.1.1.0/24. When I ping 10.1.1.253 - LAN ip of the router the pfsense starts pinging 20.20.20.2 - the WAN ip of the router?? My head hurts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide