I have a SG500X with 2 PBR’s.
LAN 192.168.5.1-32 use GE 1/1 192.168.1.2 for Internet Access
LAN 192.168.5.33-64 use GE 1/2 10.0.2.2 for Internet Access.
LAN Subnet 192.168.5.0, regardless of their Internet access communicate via same Subnet.
GE 1/1 on SG500X connects to GE 1/2 on an FPR1010 which has a Subnet 192.168.1.0 and has a WAN of x.x.x.182.
So, anything on SG500X 192.168.5.1-32 will route to 192.168.1.2 which will route to x.x.x.182 for Internet.
Being that Host 192.168.5.55 would actually be on the 2nd PBR (10.0.2.2) for Internet access, it’s still on the 192.168.5.0 that also shares PBR 1 (192.168.1.2). Can I create a NAT on the FPR then a Port Forward on the Switch?
So for example, I want to SSH in to x.x.x.182 Port 66 and create a NAT /ACL to redirect that Port 66 to 192.168.1.2 and then on the FPR, being 192.168.5.55 is non the PBR2, create a Port Forward to that IP?
I have created NAT and ACL in every fashion to allow (outside) to SSH to x.x.x.182 which would NAT to 192.168.1.2 (I even tried to NAT to 192.168.5.55 and also added a static route to 192.168.5.0 via 192.168.1.2) but nothing I do allows me to connect.
Am I right to assume it is because the 192.168.5.55 is on PBR2 and not PBR1, 192.168.1.2 which leads back to x.x.x.182, and therefore has to INCOMING path to it?
So I was wondering if on SG500X I would need to make a port forward “incoming port 66 ssh goes to 192.168.5.55”
Hopefully what I am attempting makes sense enough to get some guidance.
I do not have the option of SSH into the other PBR(2) as it is running through offsite VPN and that just won’t work so I may do as you say, move the 192.168.5.55 to the PBR1 range, OR, there are 4 NIC’s on the Host; I wonder if I could leave all as is but add, to the 2nd NIC, an IP from PBR 1 exclusively for the SSH purpose.
I’ll let ya know. Thank you.
One silly question… Because I have tried so many variations of NAT and ACL’s to no avail before I have come to realize it wouldn’t work due to the reverse traffic as you mentioned and cross PBR functionality, I may have confused myself on the NAT on the FPR.
Would I create a NAT on Port 66 from outside/wan to 192.168.1.2 (because 192.168.5.1-32 is part of its network) or would I do NAT Port 66 from outside/wan to 192.168.5.25 (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route 192.168.5.0 255.255.255.0 192.168.1.2.
Hello @TheGoob ,
the switch is not able to perfrom any NAT or Port forwarding action.
So you need on the FP1010 to create a static NAT that will translate directly to internal IP address 192.168.5.25 TCP 22 to outside interface TCP 66.
>> or would I do NAT Port 66 from outside/wan to 192.168.5.25 (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route 192.168.5.0 255.255.255.0 192.168.1.2.
The second option is the only way to make it work the switch is not able to perform any NAT.
Hope to help
I am curious about your response... You are suggesting Internal Port 22 to Outside Port 66, but I actually changed my Internal Port to 66 from 22.. I am mentioning this because I was wondering if that changes any communication of understanding for the FPR. Is it not common practice to change the Hosts Port as I did?
My idea was being I have 5 devices and instead of having everything on Port 25 and changing outside port to just have every Host have its own unique Internal/outside (same) port.
Well I am going to put this to rest, without success.
GE 1/1 - x.x.x.182
GE 1/2 - 192.168.1.0
-- All 192.168.1.x are WAN x.x.x.182
GE 1/2 connects to SG500X GE 1/1.
GE 1/1 192.168.1.7 L3
GE 1/2- 1/12 - 192.168.5.0
192.168.5.1-192.168.5.64 PBR to 192.168.1.1 via GE 1/1 192.168.1.7
Everything works fine.
I have a device running SSH on Port 66 on 192.168.5.43.
Every other device on 192.168.5.0 can SSH Port 66 into it.
No matter what I do, I can not get anything WAN side to connect to 192.168.5.43 Port 66.
I have tried every variation of ACL and NAT. I've done NO ACL and NAT. NO NAT and ACL. And both ACL and NAT with different variations. Internal Port 66 and External Port 66. Not using any forwarding from 66 (wan) to 22 (inside). Just 66 in and out.
Unless your intentions also assumed I would know how to "fill the blank", I find your answer confusing.
route-map SSH-ACCESS permit
match ip address 100
set ip next-hop
What part of that implies Port 66 for my [source] and destination SSH Port on device 192.168.5.43?I understand the name SSH-ACCESS permit to "allow" it but what is the 'math ip address 100'? I am unsure what 100 means? As far as 'ip next-hop' does this refer to "incoming" as in it would be 192.168.5.43?
I DO understand your next comment about adding it to the TOP of the PBR's.
Here is a picture to hopefully make more sense.
Forgive my slow thinking...
Would I translate that to;
route-map SSH-ACCESS permit
match ip address 100
set ip 192.168.1.2 (the IP pointed towards the FPR1010 from the SG500X?)
ip access-list extended 100
permit tcp host 192.168.1.2 host 192.168.5.43 eq 22
Man I just do not know why I am having a mental issue over comprehending this.
Dont say that, ALL some time need help.
and Yes your config if perfect.
this make only traffic for SSH go to FPR
other traffic with same subnet will go to other GW <<- here you need to add another PBR line
route-map SSH-ACCESS permit 10
route-map SSH-ACCESS permit 20
match ip address <ACL of other traffic>
set ip next-hop <IP ADD>
I have not gotten around to doing this yet due to work. I did have an in between indirect question.
why is it that no device on the 192.168.5.0 can connect to 192.168.5.1 (ST500X)) unless I remove the Gateway. On my PC, no matter what 192.168.5.0 IP I use, I can not connect to https://192.168.5.1 unless I remove my PC/Host Gateway. If I leave it 0.0.0.0 I can then connect to 192.168.5.1.
Oddly enough, with a Gateway, I can connect to 192.168.1.1 (FPR1010) that the SG500X Connects to. How is that even possible. I’d love to be able to configure my SG500X from my PC losing my gateway and therefore Internet as well.
I assume it is because the 192.168.5.0 uses PBR to 192.168.1.7 for Internet access, maybe disabling my ability to do so?