06-29-2022 12:53 PM
Hello
I have a SG500X with 2 PBR’s.
LAN 192.168.5.1-32 use GE 1/1 192.168.1.2 for Internet Access
LAN 192.168.5.33-64 use GE 1/2 10.0.2.2 for Internet Access.
LAN Subnet 192.168.5.0, regardless of their Internet access communicate via same Subnet.
GE 1/1 on SG500X connects to GE 1/2 on an FPR1010 which has a Subnet 192.168.1.0 and has a WAN of x.x.x.182.
So, anything on SG500X 192.168.5.1-32 will route to 192.168.1.2 which will route to x.x.x.182 for Internet.
Being that Host 192.168.5.55 would actually be on the 2nd PBR (10.0.2.2) for Internet access, it’s still on the 192.168.5.0 that also shares PBR 1 (192.168.1.2). Can I create a NAT on the FPR then a Port Forward on the Switch?
So for example, I want to SSH in to x.x.x.182 Port 66 and create a NAT /ACL to redirect that Port 66 to 192.168.1.2 and then on the FPR, being 192.168.5.55 is non the PBR2, create a Port Forward to that IP?
I have created NAT and ACL in every fashion to allow (outside) to SSH to x.x.x.182 which would NAT to 192.168.1.2 (I even tried to NAT to 192.168.5.55 and also added a static route to 192.168.5.0 via 192.168.1.2) but nothing I do allows me to connect.
Am I right to assume it is because the 192.168.5.55 is on PBR2 and not PBR1, 192.168.1.2 which leads back to x.x.x.182, and therefore has to INCOMING path to it?
So I was wondering if on SG500X I would need to make a port forward “incoming port 66 ssh goes to 192.168.5.55”
Hopefully what I am attempting makes sense enough to get some guidance.
Solved! Go to Solution.
09-16-2022 01:52 PM - edited 09-17-2022 10:36 AM
Well I still have not been able top make this work, and believe you me, I have tried every variation.
What puzzles me is that my server has 6 STATIC WAN IP's; The FPR1010 itself is x.x.x.182 but I also have .177 - .181. I have Static NAT on, for example, x.x.x.177 to 192.168.5.55 and SSH works fine from 'outside'. I have x.x.x.178 to 192.168.5.56 and SSH works fine from outside but NOTHING will allow me to connect to SSH on 192.168.5.43 which I have made a NAT for and ACL's etc.
Being that x.x.x.182 is the FPR itself, is SH by default blocked or disabled on the FPR? Could that be blocking it? I have set up the SSH on 192.168.5.43/x.x.x.182 exactly as I have the others but nothing works. Something has to be disabling/blocking it. Why else would 2 Static IP's work and the FPR not unless it itself was blocking it?
Long story short; Even though I have NAT and an ACL, could the FPR itself have SSH Disabled/Blocked in a different configuration tab? And being that the other 2 STATIC NAT's that do work, could it be because they are not the FPR address and is bypassing the FPR default SSH being disabled?
06-29-2022 02:05 PM
The issue will be the return traffic because that will go via the g1/2 interface and so be translated to a different public IP presumably.
So either move 192.168.5.55 to the PBR 1 configuration or setup the SSH to 192.168.5.55 using the other public IP.
Jon
06-29-2022 02:26 PM
Makes sense.
I do not have the option of SSH into the other PBR(2) as it is running through offsite VPN and that just won’t work so I may do as you say, move the 192.168.5.55 to the PBR1 range, OR, there are 4 NIC’s on the Host; I wonder if I could leave all as is but add, to the 2nd NIC, an IP from PBR 1 exclusively for the SSH purpose.
I’ll let ya know. Thank you.
06-29-2022 02:35 PM
One silly question… Because I have tried so many variations of NAT and ACL’s to no avail before I have come to realize it wouldn’t work due to the reverse traffic as you mentioned and cross PBR functionality, I may have confused myself on the NAT on the FPR.
Would I create a NAT on Port 66 from outside/wan to 192.168.1.2 (because 192.168.5.1-32 is part of its network) or would I do NAT Port 66 from outside/wan to 192.168.5.25 (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route 192.168.5.0 255.255.255.0 192.168.1.2.
07-02-2022 02:58 PM
Hello @TheGoob ,
the switch is not able to perfrom any NAT or Port forwarding action.
So you need on the FP1010 to create a static NAT that will translate directly to internal IP address 192.168.5.25 TCP 22 to outside interface TCP 66.
>> or would I do NAT Port 66 from outside/wan to 192.168.5.25 (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route 192.168.5.0 255.255.255.0 192.168.1.2.
The second option is the only way to make it work the switch is not able to perform any NAT.
Hope to help
Giuseppe
07-05-2022 09:28 AM
I am curious about your response... You are suggesting Internal Port 22 to Outside Port 66, but I actually changed my Internal Port to 66 from 22.. I am mentioning this because I was wondering if that changes any communication of understanding for the FPR. Is it not common practice to change the Hosts Port as I did?
My idea was being I have 5 devices and instead of having everything on Port 25 and changing outside port to just have every Host have its own unique Internal/outside (same) port.
07-19-2022 02:23 PM - last edited on 09-19-2022 12:36 AM by Translator
Well I am going to put this to rest, without success.
FPR1010;
GE 1/1 - x.x.x.182
GE 1/2 - 192.168.1.0
-- All 192.168.1.x are WAN x.x.x.182
GE 1/2 connects to SG500X GE 1/1.
SG500X;
GE 1/1 192.168.1.7 L3
GE 1/2- 1/12 - 192.168.5.0
192.168.5.1-192.168.5.64 PBR to 192.168.1.1 via GE 1/1 192.168.1.7
Everything works fine.
I have a device running SSH on Port 66 on 192.168.5.43.
Every other device on 192.168.5.0 can SSH Port 66 into it.
No matter what I do, I can not get anything WAN side to connect to 192.168.5.43 Port 66.
I have tried every variation of ACL and NAT. I've done NO ACL and NAT. NO NAT and ACL. And both ACL and NAT with different variations. Internal Port 66 and External Port 66. Not using any forwarding from 66 (wan) to 22 (inside). Just 66 in and out.
07-19-2022 03:34 PM - last edited on 09-19-2022 12:37 AM by Translator
I dont full understand your requirement BUT
route-map SSH-ACCESS permit
match ip address 100
set ip next-hop
!
here the ACL will not be IP but L4 TCP port 66,
this make only traffic from TCP port 66 as source PBR and other traffic for same traffic take other path via RIB or PBR.
07-28-2022 09:15 AM - last edited on 09-19-2022 12:39 AM by Translator
Hello
Unless your intentions also assumed I would know how to "fill the blank", I find your answer confusing.
route-map SSH-ACCESS permit
match ip address 100
set ip next-hop
What part of that implies Port 66 for my [source] and destination SSH Port on device 192.168.5.43?I understand the name SSH-ACCESS permit to "allow" it but what is the
math ip address 100?
I am unsure what 100 means? As far as
ip next-hop
does this refer to "incoming" as in it would be 192.168.5.43?
I DO understand your next comment about adding it to the TOP of the PBR's.
Here is a picture to hopefully make more sense.
07-28-2022 09:22 AM - last edited on 09-19-2022 12:39 AM by Translator
ip access-list extended 100
permit tcp host< > host< > eq 22
07-28-2022 12:35 PM - last edited on 09-19-2022 12:40 AM by Translator
Forgive my slow thinking...
Would I translate that to;
route-map SSH-ACCESS permit
match ip address 100
set ip 192.168.1.2 (the IP pointed towards the FPR1010 from the SG500X?)
ip access-list extended 100
permit tcp host 192.168.1.2 host 192.168.5.43 eq 22
Man I just do not know why I am having a mental issue over comprehending this.
07-28-2022 12:40 PM - last edited on 09-19-2022 12:41 AM by Translator
Dont say that, ALL some time need help.
and Yes your config if perfect.
this make only traffic for SSH go to FPR
other traffic with same subnet will go to other GW <<- here you need to add another PBR line
route-map SSH-ACCESS permit 10
!
route-map SSH-ACCESS permit 20
match ip address <ACL of other traffic>
set ip next-hop <IP ADD>
07-28-2022 01:31 PM
Beautigul, thankyou.
I do indeed currently have a PBR1 that does tell 192.168.5.1-192.168.5.64 to use it [192.168.1.2] as it's Internet Gateway which communicates back to the FPR.
I will give this a shot tonight if I get home early enough or tomorrow and keep you updated.
Thank you
07-19-2022 03:39 PM
ONE important point,
if you add PBR line after any line that have ACL permit the same subnet then this PBR will never check by SW, you need to add it in top of PBR.
08-04-2022 01:51 PM
I have not gotten around to doing this yet due to work. I did have an in between indirect question.
why is it that no device on the 192.168.5.0 can connect to 192.168.5.1 (ST500X)) unless I remove the Gateway. On my PC, no matter what 192.168.5.0 IP I use, I can not connect to https://192.168.5.1 unless I remove my PC/Host Gateway. If I leave it 0.0.0.0 I can then connect to 192.168.5.1.
Oddly enough, with a Gateway, I can connect to 192.168.1.1 (FPR1010) that the SG500X Connects to. How is that even possible. I’d love to be able to configure my SG500X from my PC losing my gateway and therefore Internet as well.
I assume it is because the 192.168.5.0 uses PBR to 192.168.1.7 for Internet access, maybe disabling my ability to do so?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide