cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Curious if I need Port Forwarding on a Switch running (2) PBR’s

TheGoob
Beginner
Beginner

Hello

 

I have a SG500X with 2 PBR’s. 
LAN 192.168.5.1-32 use GE 1/1 192.168.1.2 for Internet Access

LAN 192.168.5.33-64 use GE 1/2 10.0.2.2 for Internet Access.

  LAN Subnet 192.168.5.0, regardless of their Internet access communicate via same Subnet.

 

GE 1/1 on SG500X connects to GE 1/2 on an FPR1010 which has a Subnet 192.168.1.0 and has a WAN of x.x.x.182.

So, anything on SG500X 192.168.5.1-32 will route to 192.168.1.2 which will route to x.x.x.182 for Internet. 

Being that Host 192.168.5.55 would actually be on the 2nd PBR (10.0.2.2) for Internet access, it’s still on the 192.168.5.0 that also shares PBR 1 (192.168.1.2). Can I create a NAT on the FPR then a Port Forward on the Switch?

So for example, I want to SSH in to x.x.x.182 Port 66 and create a NAT /ACL to redirect that Port 66 to 192.168.1.2 and then on the FPR, being 192.168.5.55 is non the PBR2, create a Port Forward to that IP?

 

I have created NAT and ACL in every fashion to allow (outside) to SSH to x.x.x.182 which would NAT to 192.168.1.2 (I even tried to NAT to 192.168.5.55 and also added a static route to 192.168.5.0 via 192.168.1.2) but nothing I do allows me to connect.

Am I right to assume it is because the 192.168.5.55 is on PBR2 and not PBR1, 192.168.1.2 which leads back to x.x.x.182, and therefore has to INCOMING path to it?

So I was wondering if on SG500X I would need to make a port forward “incoming port 66 ssh goes to 192.168.5.55”

 

Hopefully what I am attempting makes sense enough to get some guidance. 

 

 

26 REPLIES 26

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

 

The issue will be the return traffic because that will go via the g1/2 interface and so be translated to a different public IP presumably. 

 

So either move 192.168.5.55 to the PBR 1 configuration or setup the SSH to 192.168.5.55 using the other public IP. 

 

Jon

 

 

Makes sense.

I do not have the option of SSH into the other PBR(2) as it is running through offsite VPN and that just won’t work so I may do as you say, move the 192.168.5.55 to the PBR1 range, OR, there are 4 NIC’s on the Host; I wonder if I could leave all as is but add, to the 2nd NIC, an IP from PBR 1 exclusively for the SSH purpose. 

I’ll let ya know. Thank you. 

One silly question… Because I have tried so many variations of NAT and ACL’s to no avail before I have come to realize it wouldn’t work due to the reverse traffic as you mentioned  and cross PBR functionality, I may have confused myself on the NAT on the FPR.

Would I create a NAT on Port 66 from outside/wan to 192.168.1.2 (because 192.168.5.1-32 is part of its network) or would I do NAT Port 66 from outside/wan to 192.168.5.25 (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route 192.168.5.0 255.255.255.0 192.168.1.2.

 

Hello @TheGoob ,

the switch is not able to perfrom any NAT or Port forwarding action.

 

So you need on the FP1010 to create a static NAT that will translate directly to internal IP address 192.168.5.25  TCP 22 to outside interface TCP 66.

 

>> or would I do NAT Port 66 from outside/wan to 192.168.5.25 (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route 192.168.5.0 255.255.255.0 192.168.1.2.

 

The second option is the only way to make it work the switch is not able to perform any NAT.

 

Hope to help

Giuseppe

 

I am curious about your response... You are suggesting Internal Port 22 to Outside Port 66, but I actually changed my Internal Port to 66 from 22.. I am mentioning this because I was wondering if that changes any communication of understanding for the FPR. Is it not common practice to change the Hosts Port as I did? 

My idea was being I have 5 devices and instead of having everything on Port 25 and changing outside port to just have every Host have its own unique Internal/outside (same) port. 

Well I am going to put this to rest, without success.

FPR1010;

GE 1/1 - x.x.x.182

GE 1/2 - 192.168.1.0

     -- All 192.168.1.x are WAN x.x.x.182

GE 1/2 connects to SG500X GE 1/1.

 

SG500X;

GE 1/1 192.168.1.7 L3

GE 1/2- 1/12 - 192.168.5.0

192.168.5.1-192.168.5.64 PBR to 192.168.1.1 via GE 1/1 192.168.1.7

Everything works fine.

 

I have a device running SSH on Port 66 on 192.168.5.43.

Every other device on 192.168.5.0 can SSH Port 66 into it.

No matter what I do, I can not get anything WAN side to connect to 192.168.5.43 Port 66. 

I have tried every variation of ACL and NAT. I've done NO ACL and NAT. NO NAT and ACL. And both ACL and NAT with different variations. Internal Port 66 and External Port 66. Not using any forwarding from 66 (wan) to 22 (inside). Just 66 in and out.

 

MHM Cisco World
Advisor
Advisor

I dont full understand your requirement BUT 
route-map SSH-ACCESS permit 
match ip address 100
set ip next-hop
!
here the ACL will not be IP but L4 TCP port 66, 
this make only traffic from TCP port 66 as source PBR and other traffic for same traffic take other path via RIB or PBR.

Hello

 

Unless your intentions also assumed I would know how to "fill the blank", I find your answer confusing. 

route-map SSH-ACCESS permit 
match ip address 100
set ip next-hop

What part of that implies Port 66 for my [source] and destination SSH Port on device 192.168.5.43?I understand the name SSH-ACCESS permit to "allow" it but what is the 'math ip address 100'? I am unsure what 100 means? As far as 'ip next-hop' does this refer to "incoming" as in it would be 192.168.5.43?

I DO understand your next comment about adding it to the TOP of the PBR's.

 

Here is a picture to hopefully make more sense. 

 

finalattempt.jpg

 

ip access-list extended 100
permit tcp host<   > host<   > eq 22

Forgive my slow thinking...

Would I translate that to;

 

route-map SSH-ACCESS permit
match ip address 100
set ip 192.168.1.2 (the IP pointed towards the FPR1010 from the SG500X?)


ip access-list extended 100
permit tcp host 192.168.1.2 host 192.168.5.43 eq 22

 

Man I just do not know why I am having a mental issue over comprehending this.

Dont say that, ALL some time need help.
and Yes your config if perfect.
this make only traffic for SSH go to FPR
other traffic with same subnet will go to other GW <<- here you need to add another PBR line 

route-map SSH-ACCESS permit 10
!
route-map SSH-ACCESS permit 20 
match ip address <ACL of other traffic>
set ip next-hop <IP ADD>

Beautigul, thankyou.

 

I do indeed currently have a PBR1 that does tell 192.168.5.1-192.168.5.64 to use it [192.168.1.2] as it's Internet  Gateway which communicates back to the FPR. 

I will give this a shot tonight if I get home early enough or tomorrow and keep you updated.

 

Thank you

MHM Cisco World
Advisor
Advisor

ONE important point, 
if you add PBR line after any line that have ACL permit the same subnet then this PBR will never check by SW, you need to add it in top of PBR.

TheGoob
Beginner
Beginner

I have not gotten around to doing this yet due to work. I did have an in between indirect question.

why is it that no device on the 192.168.5.0 can connect to 192.168.5.1 (ST500X)) unless I remove the Gateway. On my PC, no matter what 192.168.5.0 IP I use, I can not connect to https://192.168.5.1 unless I remove my PC/Host Gateway. If I leave it 0.0.0.0 I can then connect to 192.168.5.1.

Oddly enough, with a Gateway, I can connect to 192.168.1.1 (FPR1010) that the SG500X Connects to. How is that even possible. I’d love to be able to configure my SG500X from my PC losing my gateway and therefore Internet as well.

I assume it is because the 192.168.5.0 uses PBR to 192.168.1.7 for Internet access, maybe disabling my ability to do so? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: