cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3059
Views
0
Helpful
33
Replies

Cisco Router NAT transparency

AvidPontoon1
Level 1
Level 1

I have a firewall box that sits between the 'WAN' port on a cisco 2811 and the main ISP line in to my building. The topology looks like:

 

 ISP CONNECTION IN

UTM 

CISCO ROUTER

 

My problem is logging on the UTM. It runs a dns filtering service that filters the network traffic for the site. Between the UTM and Router there is a class C subnet: 20.20.20.0/24. The utm has 20.20.20.1 and the router has 20.20.20.2. The cisco router has nat configured on it to allow 0.0.0.0. My problem is that when a client visits a blocked page the UTM logs this with the ip of the client. The problem I am having is that the client ip address is always 20.20.20.2 (The ip of the WAN on the router) and not the ip of the actual client.

 

How can i get the firewall to see the actual client ip? Ive ruled it down to NAT on the router but have no idea on how to configure it. Please could someone explain what I need to do?

 

33 Replies 33

Hello,

 

that is because everything is being translated to 20.20.20.2. Change your NAT access list to:

 

access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any


@Georg Pauwen wrote:

Hello,

 

that is because everything is being translated to 20.20.20.2. Change your NAT access list to:

 

access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any


Still being translated to 20.20.20.2. But the interface that the UTM is connected to the router on is still 'ip nat outside' so thats stopping it i guess

Have you been able to add the static route for network 10.x.x.x to the pfsense ?


@Georg Pauwen wrote:

Have you been able to add the static route for network 10.x.x.x to the pfsense ?


I only added 10.1.1.0/24 as I dont know the /xx value for 10.0.0.0.

 

I had the two commands wrong for the ip access-list and now the pfsense can ping 10.1.1.253 and it doesnt get translated to 20.20.20.2. But adding it has stopped one of my subnets from accessing the internet :/

So back to the original problem:

 

"My problem is that when a client visits a blocked page the UTM logs this with the ip of the client. The problem I am having is that the client ip address is always 20.20.20.2 (The ip of the WAN on the router) and not the ip of the actual client."

 

Which IP addresses are logged now by the UTM ?


@AvidPontoon1 wrote:

@Georg Pauwen wrote:

Hello,

 

that is because everything is being translated to 20.20.20.2. Change your NAT access list to:

 

access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any


Still being translated to 20.20.20.2. But the interface that the UTM is connected to the router on is still 'ip nat outside' so thats stopping it i guess


I have enabled squid to have a better look and it still says 20.20.20.2 when it should be 10.63.12.1 on VLAN 203

 

Note: PFSENSE cannot ping 10.63.12.1

Hello,

 

10.63.12.1 is not part of 10.1.1.0/24. The access list right now only blocks 10.1.1.0/24 from being translated.

 

Change it to:

 

access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any


@Georg Pauwen wrote:

Hello,

 

10.63.12.1 is not part of 10.1.1.0/24. The access list right now only blocks 10.1.1.0/24 from being translated.

 

Change it to:

 

access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any


Adding that has now denied the whole internal network of internet access

Hello,

 

"I only added 10.1.1.0/24 as I dont know the /xx value for 10.0.0.0."

 

Add 10.0.0.0/8 as the destination in the static route on the pfsense. This includes all networks in the 10.x.x.x range.


@Georg Pauwen wrote:

Hello,

 

"I only added 10.1.1.0/24 as I dont know the /xx value for 10.0.0.0."

 

Add 10.0.0.0/8 as the destination in the static route on the pfsense. This includes all networks in the 10.x.x.x range.


That has not helped as the command 'access-list 10 deny 10.0.0.0 0.255.255.255' denies everyone access to the UTM and therefore the internet.

 

Current config:


Current configuration : 1947 bytes
!
! Last configuration change at 19:48:22 UTC Sun Aug 26 2018 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v1.site.isr
!
boot-start-marker
boot system usbflash0:c1841-advipservicesk9-mz.151-4.M3.bin
boot-end-marker
!
!
!
no aaa new-model
ip source-route
!
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
ip domain name cisco.lab
multilink bundle-name authenticated
!
!
license udi pid CISCO1841 sn FCZ09101223
!
!
!
!
!
!
interface FastEthernet0/1
ip address 10.1.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 100
router-id 10.1.1.253
passive-interface FastEthernet0/0/0
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
!
ip http server
ip nat inside source list 10 interface FastEthernet0/0/0 overload
ip nat inside source static 10.0.0.0 0.255.255.255
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
ip access-list extended FILTER_VLAN30
permit ip 10.1.30.0 0.0.0.255 host 10.1.100.65
deny ip 10.1.30.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip any any
!
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any
!
control-plane
!
bridge 1 protocol ieee
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
end

 

Hello,

 

have you added the static route for 10.0.0.0/8 pointing to 20.20.20.2 on the pfsense ?


@Georg Pauwen wrote:

Hello,

 

have you added the static route for 10.0.0.0/8 pointing to 20.20.20.2 on the pfsense ?


See the screenshot in last post. In theory that route won't matter if no clients can access the UTM? 

Hello,

 

if 10.0.0.0/8 has been added to the pfsense, take all the NAT config off your router. At the very least, with the config below, all clients should be able to ping 20.20.20.1:

 

Current config:


Current configuration : 1947 bytes
!
! Last configuration change at 19:48:22 UTC Sun Aug 26 2018 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v1.site.isr
!
boot-start-marker
boot system usbflash0:c1841-advipservicesk9-mz.151-4.M3.bin
boot-end-marker
!
no aaa new-model
ip source-route
!
no ip dhcp use vrf connected
!
ip cef
no ip domain lookup
ip domain name cisco.lab
multilink bundle-name authenticated
!
license udi pid CISCO1841 sn FCZ09101223
!
interface FastEthernet0/1
ip address 10.1.1.253 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/0
ip address dhcp
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 100
router-id 10.1.1.253
passive-interface FastEthernet0/0/0
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
ip http server
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
ip access-list extended FILTER_VLAN30
permit ip 10.1.30.0 0.0.0.255 host 10.1.100.65
deny ip 10.1.30.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
end


@Georg Pauwen wrote:

Hello,

 

if 10.0.0.0/8 has been added to the pfsense, take all the NAT config off your router. At the very least, with the config below, all clients should be able to ping 20.20.20.1:

 

Current config:


Current configuration : 1947 bytes
!
! Last configuration change at 19:48:22 UTC Sun Aug 26 2018 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v1.site.isr
!
boot-start-marker
boot system usbflash0:c1841-advipservicesk9-mz.151-4.M3.bin
boot-end-marker
!
no aaa new-model
ip source-route
!
no ip dhcp use vrf connected
!
ip cef
no ip domain lookup
ip domain name cisco.lab
multilink bundle-name authenticated
!
license udi pid CISCO1841 sn FCZ09101223
!
interface FastEthernet0/1
ip address 10.1.1.253 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/0
ip address dhcp
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 100
router-id 10.1.1.253
passive-interface FastEthernet0/0/0
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
ip http server
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
ip access-list extended FILTER_VLAN30
permit ip 10.1.30.0 0.0.0.255 host 10.1.100.65
deny ip 10.1.30.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
end


I have done that and can now ping 20.20.20.1 but no internet access

Hello,

 

now check the NAT rules generated on the pfsense. Since you have added a static route for 10.0.0.0/8, that network should be included in an automatically generated rule:

 

https://www.netgate.com/docs/pfsense/nat/automatic-nat-rules-generation.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: