cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Curious if I need Port Forwarding on a Switch running (2) PBR’s

TheGoob
Beginner
Beginner

Hello

 

I have a SG500X with 2 PBR’s. 
LAN 192.168.5.1-32 use GE 1/1 192.168.1.2 for Internet Access

LAN 192.168.5.33-64 use GE 1/2 10.0.2.2 for Internet Access.

  LAN Subnet 192.168.5.0, regardless of their Internet access communicate via same Subnet.

 

GE 1/1 on SG500X connects to GE 1/2 on an FPR1010 which has a Subnet 192.168.1.0 and has a WAN of x.x.x.182.

So, anything on SG500X 192.168.5.1-32 will route to 192.168.1.2 which will route to x.x.x.182 for Internet. 

Being that Host 192.168.5.55 would actually be on the 2nd PBR (10.0.2.2) for Internet access, it’s still on the 192.168.5.0 that also shares PBR 1 (192.168.1.2). Can I create a NAT on the FPR then a Port Forward on the Switch?

So for example, I want to SSH in to x.x.x.182 Port 66 and create a NAT /ACL to redirect that Port 66 to 192.168.1.2 and then on the FPR, being 192.168.5.55 is non the PBR2, create a Port Forward to that IP?

 

I have created NAT and ACL in every fashion to allow (outside) to SSH to x.x.x.182 which would NAT to 192.168.1.2 (I even tried to NAT to 192.168.5.55 and also added a static route to 192.168.5.0 via 192.168.1.2) but nothing I do allows me to connect.

Am I right to assume it is because the 192.168.5.55 is on PBR2 and not PBR1, 192.168.1.2 which leads back to x.x.x.182, and therefore has to INCOMING path to it?

So I was wondering if on SG500X I would need to make a port forward “incoming port 66 ssh goes to 192.168.5.55”

 

Hopefully what I am attempting makes sense enough to get some guidance. 

 

 

26 REPLIES 26

can you share the PBR config 

I am pretty sure this is what I have, offhand. I also wonder, by looking at this would this explain why no access is allowed in from WAN side? And to mention, I have yet added the new PBR you suggested at this point but here it is;

 

access list 101 permit ip 192.168.5.0 0.0.0.63 any

access list 102 permit ip 192.168.5.65 0.0.0.63 any 

 

route-map tointernet permit 10

match ip address 101

set ip next-hop 192.168.1.1

route-map tointernet permit 11

match ip address 102

set up next-hop 192.168.2.1

 

interface vlan 

ip policy route-map tointernet 

 

Now, I do have the next hops of the end Router IP, not the local Ethernet IP's. I assume it would know that to get to 192.168.1.1 it would use 192.168.1.7 (GE 1/1) for example for PBR 1. My meaning is, would next hop be the destination router or the Local IP that connects to the destination ip. 

next-hop is IP of not connect LOCAL in your SW, it IP of the destination L3 device connect to your SW.

I am sorry I am unsure of what you mean. Do you mean that next-hop is the destination IP so 192.168.1.1 PBR1 and 192.168.2.1 PBR2 is correct?

 

R1-R2

when we config the PBR 
set ip next-hop <R2 IP>

In my scenario;

PBR 1 allocates 192.168.5.1-192.168.5.64 to use 192.168.1.1 (via 192.168.1.7 GE 1/1) to access Internet on that router

PBR 2 allocates 192.168.5.65-192.168.5.128 to use 192.168.2.1 (via 192.168.2.7 GE 1/2) to access Internet (different Internet)

 

That is the only configuration on the SG500X, and I am wondering why a device in the 192.168.5.0 (.1-.128) can not access 192.168.5.1 unless I remove the Gateway on the Host trying to connect. I am wondering if it is due to the PBR? I won't be removing my PBR's so if it is impossible, I will deal with it.

Aside from that, now seeing my PBR's and it's setup, can you see any obvious reason why Host 192.168.5.43 (On PBR1) would not be able to receive SSH Connectivity via WAN Side?

finalattempt.jpg
R1 in my lab is you SG500X and One Server is represent FPR.
kkkkkkk.pngfggfgffggfgfgf.pngjhgjghjghjghjghj.png

I already do small Lab and test config of route-map for two host in same subnet and I success.

I am not having issues from lan to lan as everything is on same subnet. My issue is that I can not get anyone from WAN side, internet, to connect.

It is fine, never mind. I thank you for your assistance.

two host in same subnet, 
the Router R1 will forward any traffic from host 10.0.0.2 to server connect via S3/3 using PBR
the Router R1 will forward any traffic from host 10.0.0.3 to server connect via S3/0 using PBR 

I am not talking about connect host in same subnet.

NOTE:- the default GW in both host is same 10.0.0.1
NOTE:- the return traffic must config in both Server.

kjhkjhkhkjkhjkjhkhjkh.png
R6 in my lab represent the PC you use to SSH to R2 (10.0.0.2)
the R1 config with PBR and we can success ping from R2 to LO 5.5.5.5 in R5 (FW icon)
until now everything is OK config 
but we assign from the PC conenct to R5 (FW icon), 
so we need port-forwarding 
ip nat inside source static tcp R2(10.0.0.2) 23 interface R5-interface f0/0 223

WHY THE PORT IS DIFFERNT ?
because if you run SSH in R5 then the R5 will handle the traffic as it send to it not send to R2(10.0.0.2)

after that I can easy telnet the R2(10.0.0.2) from R6 no issue at all.

NOTE:- R6 no need to now the route toward 10.0.0.2 because it use the R5-interface f0/0 to access not 10.0.0.2
the power of NAT

Hello

 

So I think I am grasping this more, but I have a few questions (more when I post my configs for FPR and SG500.

 

1.) You mention I need a 'port forward', is this done on the FPR or the SG500X?

2.) Do I need both NAT and ACL on the FPR to "direct" incoming Port 66 to destination Port 23?

I assume I need an ACL to PERMIT the traffic, and then a NAT to "forward" incoming (x.x.x.182) 66 to destination (192.168.5.43) 23).

Is that the port forwarding you speak of? Or in addition to, or just yours and Not NAT?

1.) Do I need both NAT and ACL on the FPR to "direct" incoming Port 66 to destination Port 23? YES
I assume I need an ACL to PERMIT the traffic, and then a NAT to "forward" incoming (x.x.x.182) 66 to destination (192.168.5.43) 23). YES YES 
you need ACL to permit the traffic and you need NAT to forward traffic.

2.) You mention I need a 'port forward', is this done on the FPR or the SG500X? NO NEED in SG500X 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: