I have a SG500X with 2 PBR’s.
LAN 192.168.5.1-32 use GE 1/1 192.168.1.2 for Internet Access
LAN 192.168.5.33-64 use GE 1/2 10.0.2.2 for Internet Access.
LAN Subnet 192.168.5.0, regardless of their Internet access communicate via same Subnet.
GE 1/1 on SG500X connects to GE 1/2 on an FPR1010 which has a Subnet 192.168.1.0 and has a WAN of x.x.x.182.
So, anything on SG500X 192.168.5.1-32 will route to 192.168.1.2 which will route to x.x.x.182 for Internet.
Being that Host 192.168.5.55 would actually be on the 2nd PBR (10.0.2.2) for Internet access, it’s still on the 192.168.5.0 that also shares PBR 1 (192.168.1.2). Can I create a NAT on the FPR then a Port Forward on the Switch?
So for example, I want to SSH in to x.x.x.182 Port 66 and create a NAT /ACL to redirect that Port 66 to 192.168.1.2 and then on the FPR, being 192.168.5.55 is non the PBR2, create a Port Forward to that IP?
I have created NAT and ACL in every fashion to allow (outside) to SSH to x.x.x.182 which would NAT to 192.168.1.2 (I even tried to NAT to 192.168.5.55 and also added a static route to 192.168.5.0 via 192.168.1.2) but nothing I do allows me to connect.
Am I right to assume it is because the 192.168.5.55 is on PBR2 and not PBR1, 192.168.1.2 which leads back to x.x.x.182, and therefore has to INCOMING path to it?
So I was wondering if on SG500X I would need to make a port forward “incoming port 66 ssh goes to 192.168.5.55”
Hopefully what I am attempting makes sense enough to get some guidance.
I am pretty sure this is what I have, offhand. I also wonder, by looking at this would this explain why no access is allowed in from WAN side? And to mention, I have yet added the new PBR you suggested at this point but here it is;
access list 101 permit ip 192.168.5.0 0.0.0.63 any
access list 102 permit ip 192.168.5.65 0.0.0.63 any
route-map tointernet permit 10
match ip address 101
set ip next-hop 192.168.1.1
route-map tointernet permit 11
match ip address 102
set up next-hop 192.168.2.1
ip policy route-map tointernet
Now, I do have the next hops of the end Router IP, not the local Ethernet IP's. I assume it would know that to get to 192.168.1.1 it would use 192.168.1.7 (GE 1/1) for example for PBR 1. My meaning is, would next hop be the destination router or the Local IP that connects to the destination ip.
In my scenario;
PBR 1 allocates 192.168.5.1-192.168.5.64 to use 192.168.1.1 (via 192.168.1.7 GE 1/1) to access Internet on that router
PBR 2 allocates 192.168.5.65-192.168.5.128 to use 192.168.2.1 (via 192.168.2.7 GE 1/2) to access Internet (different Internet)
That is the only configuration on the SG500X, and I am wondering why a device in the 192.168.5.0 (.1-.128) can not access 192.168.5.1 unless I remove the Gateway on the Host trying to connect. I am wondering if it is due to the PBR? I won't be removing my PBR's so if it is impossible, I will deal with it.
Aside from that, now seeing my PBR's and it's setup, can you see any obvious reason why Host 192.168.5.43 (On PBR1) would not be able to receive SSH Connectivity via WAN Side?
two host in same subnet,
the Router R1 will forward any traffic from host 10.0.0.2 to server connect via S3/3 using PBR
the Router R1 will forward any traffic from host 10.0.0.3 to server connect via S3/0 using PBR
I am not talking about connect host in same subnet.
NOTE:- the default GW in both host is same 10.0.0.1
NOTE:- the return traffic must config in both Server.
R6 in my lab represent the PC you use to SSH to R2 (10.0.0.2)
the R1 config with PBR and we can success ping from R2 to LO 184.108.40.206 in R5 (FW icon)
until now everything is OK config
but we assign from the PC conenct to R5 (FW icon),
so we need port-forwarding
ip nat inside source static tcp R2(10.0.0.2) 23 interface R5-interface f0/0 223
WHY THE PORT IS DIFFERNT ?
because if you run SSH in R5 then the R5 will handle the traffic as it send to it not send to R2(10.0.0.2)
after that I can easy telnet the R2(10.0.0.2) from R6 no issue at all.
NOTE:- R6 no need to now the route toward 10.0.0.2 because it use the R5-interface f0/0 to access not 10.0.0.2
the power of NAT
So I think I am grasping this more, but I have a few questions (more when I post my configs for FPR and SG500.
1.) You mention I need a 'port forward', is this done on the FPR or the SG500X?
2.) Do I need both NAT and ACL on the FPR to "direct" incoming Port 66 to destination Port 23?
I assume I need an ACL to PERMIT the traffic, and then a NAT to "forward" incoming (x.x.x.182) 66 to destination (192.168.5.43) 23).
Is that the port forwarding you speak of? Or in addition to, or just yours and Not NAT?
1.) Do I need both NAT and ACL on the FPR to "direct" incoming Port 66 to destination Port 23? YES
I assume I need an ACL to PERMIT the traffic, and then a NAT to "forward" incoming (x.x.x.182) 66 to destination (192.168.5.43) 23). YES YES
you need ACL to permit the traffic and you need NAT to forward traffic.
2.) You mention I need a 'port forward', is this done on the FPR or the SG500X? NO NEED in SG500X