Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3082
Views
0
Helpful
33
Replies

Cisco Router NAT transparency

AvidPontoon1
Level 1
Level 1

‎08-26-2018 10:58 AM

I have a firewall box that sits between the 'WAN' port on a cisco 2811 and the main ISP line in to my building. The topology looks like:

 

 ISP CONNECTION IN

UTM 

CISCO ROUTER

 

My problem is logging on the UTM. It runs a dns filtering service that filters the network traffic for the site. Between the UTM and Router there is a class C subnet: 20.20.20.0/24. The utm has 20.20.20.1 and the router has 20.20.20.2. The cisco router has nat configured on it to allow 0.0.0.0. My problem is that when a client visits a blocked page the UTM logs this with the ip of the client. The problem I am having is that the client ip address is always 20.20.20.2 (The ip of the WAN on the router) and not the ip of the actual client.

 

How can i get the firewall to see the actual client ip? Ive ruled it down to NAT on the router but have no idea on how to configure it. Please could someone explain what I need to do?

 

Labels:
0 Helpful
33 Replies 33

Georg Pauwen
VIP
VIP

‎08-26-2018 11:01 AM

Hello,

 

post the full configuration of your Cisco router. You probably have NAT configured to translate everything to the interface address that is connected to the UTM...

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Georg Pauwen

‎08-26-2018 11:08 AM

@Georg Pauwen wrote:

Hello,

 

post the full configuration of your Cisco router. You probably have NAT configured to translate everything to the interface address that is connected to the UTM...

Current configuration : 2295 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v1.site.isr
!
boot-start-marker
boot system usbflash0:c1841-advipservicesk9-mz.151-4.M3.bin
boot-end-marker
!
!
!
no aaa new-model
ip source-route
!
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
interface FastEthernet0/1
ip address 10.1.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 100
router-id 10.1.1.253
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
!
ip http server
ip nat inside source list 10 interface FastEthernet0/0/0 overload
ip nat inside source static 10.1.0.0 0.0.255.255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip access-list extended FILTER_VLAN30
permit ip 10.1.30.0 0.0.0.255 host 10.1.100.65
deny ip 10.1.30.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip any any
!
access-list 10 permit any
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
end

 

Thanks in advance!

0 Helpful

Georg Pauwen
VIP
VIP
In response to AvidPontoon1

‎08-26-2018 11:19 AM

Hello,

 

why do you have NAT configured at all on the Cisco router ? You are NATting a private address range to another private address. Is it an option to remove NAT altogether from the router ?

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Georg Pauwen

‎08-26-2018 11:40 AM - edited ‎08-26-2018 11:45 AM

@Georg Pauwen wrote:

Hello,

 

why do you have NAT configured at all on the Cisco router ? You are NATting a private address range to another private address. Is it an option to remove NAT altogether from the router ?

When I removed nat none of the traffic got out of the router. Please could you tell me how to remove it and still pass traffic?

0 Helpful

Georg Pauwen
VIP
VIP
In response to AvidPontoon1

‎08-26-2018 11:46 AM

What is the model/brand of your UTM ? You lose all connectivity because the UTM only knows about network 20.20.20.0/24. 

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Georg Pauwen

‎08-26-2018 11:50 AM

@Georg Pauwen wrote:

What is the model/brand of your UTM ? You lose all connectivity because the UTM only knows about network 20.20.20.0/24. 

This is without the UTM. Nothing gets to past the Cisco Router. Its a watchguard with pfsense on it. I have removed these config lines and i cant even ping the UTM:


ip nat inside - per interface

ip nat outside - per interface

ip nat inside source list 10 interface FastEthernet0/0/0 overload
ip nat inside source static 10.1.0.0 0.0.255.255

 

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎08-26-2018 11:53 AM

Hello,

 

your current default route is:

 

ip route 0.0.0.0 0.0.0.0 192.168.0.1

 

Where and what is 192.168.0.1 ?

 

Try and change it to:

 

ip route 0.0.0.0 0.0.0.0 20.20.20.1

 

which basically directs all your traffic to the UTM.

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Georg Pauwen

‎08-26-2018 12:02 PM

@Georg Pauwen wrote:

Hello,

 

your current default route is:

 

ip route 0.0.0.0 0.0.0.0 192.168.0.1

 

Where and what is 192.168.0.1 ?

 

Try and change it to:

 

ip route 0.0.0.0 0.0.0.0 20.20.20.1

 

which basically directs all your traffic to the UTM.

Ah, i have given you an outdated config, that was the old ip of the UTM. This was changed when we changed the subnet. Still no joy

0 Helpful

Georg Pauwen
VIP
VIP
In response to AvidPontoon1

‎08-26-2018 12:09 PM

The Watchguard doesn't have a route back to the 10.x.x.x network. Which Watchguard model do you have ? Try and get inside the Watchguard and configure a route to the 10.x.x.x network...

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Georg Pauwen

‎08-26-2018 12:10 PM - edited ‎08-26-2018 12:12 PM

@Georg Pauwen wrote:

The Watchguard doesn't have a route back to the 10.x.x.x network. Which Watchguard model do you have ? Try and get inside the Watchguard and configure a route to the 10.x.x.x network...

Its just pfsense? Do you know how i can do it on there?

 

When i remove the nat config the route can still ping 20.20.20.1 but nothing else on the network can, how can this be?

0 Helpful

Georg Pauwen
VIP
VIP
In response to AvidPontoon1

‎08-26-2018 12:16 PM

Hello, 

 

the link below explains how to add a static route to pfsense. I am not sure if your model has the same or a similar GUI...

 

https://www.netgate.com/docs/pfsense/routing/static-routes.html

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Georg Pauwen

‎08-26-2018 12:17 PM

@Georg Pauwen wrote:

Hello, 

 

the link below explains how to add a static route to pfsense. I am not sure if your model has the same or a similar GUI...

 

https://www.netgate.com/docs/pfsense/routing/static-routes.html

Without having NAT on the router I cannot even access pfsense though. How can I get having no nat working first?

0 Helpful

Georg Pauwen
VIP
VIP
In response to AvidPontoon1

‎08-26-2018 12:24 PM

Hello,

 

add NAT back to the router. You will need to access pfsense to check if you can access a static route. If so, you can test if it works by excluding an IP address from the 10.x.x.x range on your network so that it doesn't get NATted.

0 Helpful

AvidPontoon1
Level 1
Level 1
In response to Georg Pauwen

‎08-26-2018 12:29 PM - edited ‎08-26-2018 12:30 PM

@Georg Pauwen wrote:

Hello,

 

add NAT back to the router. You will need to access pfsense to check if you can access a static route. If so, you can test if it works by excluding an IP address from the 10.x.x.x range on your network so that it doesn't get NATted.

I added a static route for 10.1.1.0/24. When I ping 10.1.1.253 - LAN ip of the router the pfsense starts pinging 20.20.20.2 - the WAN ip of the router?? My head hurts

Preview file
13 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card