Cisco Router NAT transparency - Page 3

AvidPontoon1 · ‎08-26-2018

I have a firewall box that sits between the 'WAN' port on a cisco 2811 and the main ISP line in to my building. The topology looks like:

ISP CONNECTION IN

↓

UTM

↓

CISCO ROUTER

My problem is logging on the UTM. It runs a dns filtering service that filters the network traffic for the site. Between the UTM and Router there is a class C subnet: 20.20.20.0/24. The utm has 20.20.20.1 and the router has 20.20.20.2. The cisco router has nat configured on it to allow 0.0.0.0. My problem is that when a client visits a blocked page the UTM logs this with the ip of the client. The problem I am having is that the client ip address is always 20.20.20.2 (The ip of the WAN on the router) and not the ip of the actual client.

How can i get the firewall to see the actual client ip? Ive ruled it down to NAT on the router but have no idea on how to configure it. Please could someone explain what I need to do?

AvidPontoon1 · ‎08-26-2018

@Georg Pauwen wrote:

Hello,

now check the NAT rules generated on the pfsense. Since you have added a static route for 10.0.0.0/8, that network should be included in an automatically generated rule:

https://www.netgate.com/docs/pfsense/nat/automatic-nat-rules-generation.html

See attached image...

Georg Pauwen · ‎08-26-2018

Hello,

check if Manual NAT has been enabled.

https://www.netgate.com/docs/pfsense/nat/advanced-outbound-nat.html

The logic is as follows:

Your entire network can access the pfsense, and the pfsense can access the entire network. The thing left to do is let the pfsense know that it has to translate (NAT) both 10.0.0.0/8 and 20.20.20.0/24.

AvidPontoon1 · ‎08-26-2018

Still nothing, failing to ping 20.20.20.1 now from all clients

Georg Pauwen · ‎08-26-2018

Post your current running configuration...