Few questions about NAT

Vking02 · ‎03-03-2021

Hi all,

I am doing some self-paced studying on EVE-NG but stuck on few things.

I was wondering if anyone can help.

ISP router IP: 172.16.5.21

My currently setup

ISP > Cisco Router > FW > 2 zones > 1 PC in each zone (Inside/DMZ)

Cisco Router has 2 IP

- facing ISP router

interface FastEthernet0/0
ip address 172.16.5.96 255.255.252.0
ip nat outside
ip virtual-reassembly
duplex full

- facing FW.

interface FastEthernet3/0
ip address 192.168.99.1 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex full

currently doing NAT

ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip any any

With 1 Default Gateway

ip route 0.0.0.0 0.0.0.0 172.16.5.21

I currently have NAT enabled and I am able to access the internet from the FW:

On the FW

ethernet1/1 16 1 OUTSIDE vr:VR 0 192.168.99.2/28

I have a static router on FW

destination nexthop metric flags age interface next-AS
0.0.0.0/0 192.168.99.1 10 A S ethernet1/1

VM> ping source 192.168.99.2 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.99.2 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=17.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=14.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=21.5 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=115 time=19.1 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 14.699/18.311/21.571/2.479 ms

==============================

The problem seems to be when I am trying to access the Outside FW address (192.168.99.2) from the 172.16.0.4 network.

- I am unable to HTTP or HTTPS into the FW, I can ping the interface.

Host that sits on a 172.16.4.0 network:

IPv4 Address. . . . . . . . . . . : 172.16.4.4
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 172.16.5.21

Traceroute

C:\Users\Kingg>tracert 192.168.99.2

Tracing route to 192.168.99.2 over a maximum of 30 hops

1 1 ms 1 ms 1 ms [172.16.5.21]
2 14 ms 10 ms 9 ms 172.16.5.96
3 25 ms 19 ms 20 ms 172.16.5.96

- Not sure why there are 2 hop with same IP.

>ping 192.168.99.2

Pinging 192.168.99.2 with 32 bytes of data:
Reply from 172.16.5.96: bytes=32 time=24ms TTL=63
Reply from 172.16.5.96: bytes=32 time=21ms TTL=63
Reply from 172.16.5.96: bytes=32 time=14ms TTL=63
Reply from 172.16.5.96: bytes=32 time=14ms TTL=63

Ping statistics for 192.168.99.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 24ms, Average = 18ms

- I am not sure why i am getting a response from 172.16.5.96

====================

With NAT disabled:

- I am able to HTTP and HTTPS into the outside FW address (192.168.99.2)

- The only problem with this - I am unable to access the Internet from the FW with NAT disabled.

I needed a solution where I am able to access the Outside interface on the FW (192.168.99.2) from the 172.16.4.0 network.

Dilemma

- With NAT enabled I am able to access the internet but unable to access the FW from 172.16.4.0 network.

- With NAT disabled i cannot access the Internet but i am able to access the 192.168.99.2 access.

If you would like further outputs then please let me know.

Thank you all for your help in advance.

paul driver · ‎03-03-2021

Hello

@Vking02 wrote:
I needed a solution where I am able to access the Outside interface on the FW (192.168.99.2) from the 172.16.4.0 network.

First of all you need you change the access-list so NAT is only performed on the inside subnet of the nat domain and not on any nat outside domain interfaces

no access-list 100 permit ip any any
access-list 100 permit ip 192.168.99.0 0.0.0.15 any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vking02 · ‎03-03-2021

Thank you Paul.

Any idea why I cannot access the FW page from the 172.16.4.0 network?

Richard Burts · ‎03-03-2021

First can you verify that there is a typo in your original post:

The problem seems to be when I am trying to access the Outside FW address (192.168.99.2) from the 172.16.0.4 network.

Is it really the 172.16.4.0 network?

I am not sure that this is the issue, but I have seen some very odd symptoms when NAT is configured using an extended access list which has permit any for the destination (as seems to be the case with your acl 100. I would suggest that you re-write the acl making it a standard access list and modify your nat statement to use the standard acl.

HTH

Rick

Vking02 · ‎03-03-2021

Hi Richard,

Many thanks for your reply and Yes, there is a Typo;

it should be 172.16.4.0/22.

I have tried your solution:

ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.15

.............

Positive:

I am able to access http/https from 172.16.4.0/22 network

Negative

Lost all internet connectivity.

I am unable to ping out to 8.8.8.8 sourcing it from the port (192.168.99.1) facing the FW.

Router#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/24 ms

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.99.1
.....
Success rate is 0 percent (0/5)

any idea?

Richard Burts · ‎03-03-2021

First thing is that when you changed the acl from extended to standard you also changed the network address. The suggestion for acl 100 was

access-list 100 permit ip 192.168.99.0 0.0.0.15 any

when you changed it this way

access-list 1 permit 192.168.0.0 0.0.0.15

you changed the network it is evaluating. If you try this I believe it will fix the problem of your not having Internet access

access-list 1 permit 192.168.99.0 0.0.0.15

But I now realize that it will not solve your original problem about accessing the firewall from the 172.16.4.0 network. In reading the original post I am now focusing on the attempt to ping the firewall address from the pc connected outside:

>ping 192.168.99.2

Pinging 192.168.99.2 with 32 bytes of data:
Reply from 172.16.5.96: bytes=32 time=24ms TTL=63

The ping was successful and you asked a very key question

I am not sure why i am getting a response from 172.16.5.96

I believe that this is what is going on

- your pc attempts to access the firewall (either ping or http)

- packet gets to the firewall

- firewall generates a response (note that the source address of the response is 192.168.99.2)

- response gets to the router outside interface

- nat sees a packet with source address in the 192.168.99.0 network and translates the source address

- response packet gets to pc with source address of 172.16.5.96

Ping does not really care about the source address not being what was expected and ping is successful. HTTP does care about the source address, it has received a response that does not match what it sent and HTTP does not succeed.

I believe that the solution is to go back to an extended access list and in that acl you will deny any source in 192.168.99.0 and destination in 172.16.4.0 and next line will permit source 192.168.99.0 to any destination like this

access-list 100 deny ip 192.168.99.0 0.0.0.15 172.16.4.0 0.0.3.255

access-list 100 permit ip 192.168.99.0 0.0.0.15 any

HTH

Rick

paul driver · ‎03-03-2021

Hello
I have only just realized that you are trying to initiate a connection from the outside nat domain which wont work by default using dynamic port address translation(PAT)

You would need a static pat statement for such connection, Try the following:
ip nat inside source static tcp 192.168.99.2 80 interface fa0/0 80
ip nat inside source static tcp 192.168.99.2 443 interface fa0/0 443

From the outside domain the connection would be
http://172.16.5.96
https://172.16.5.96

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vking02 · ‎03-04-2021

Hi Both,

I tried both of the suggestions and they are working, however with only one issue. It seems that when I initiate a connection from the outside network - 172.16.4.0, it take a very long time for load the page (tried both solution).

When I do manage to log into the Web GUI, I get a session timed out page.

One other odd thing I noticed was that the network behind the firewall loses Internet connectivity when I initiate the connection to the

FW outside interface - 192.168.99.2 & 172.16.5.96

screenshot attached from the Host sitting behind the FW

I read up that the FW would have this issue when the root space is nearly almost full or full but I have only 47% used, so plenty of space. Just to add, I am able to log into the FW from the inside interface without an issue.

any suggestions?

paul driver · ‎03-04-2021

Hello

@Vking02 wrote:

.

One other odd thing I noticed was that the network behind the firewall loses Internet connectivity when I initiate the connection to the

FW outside interface - 192.168.99.2 & 172.16.5.96

The whole purpose ot NAT it to hide the translated network, so you should NOT have reachability from outside hosts to the FWs internal addressing, the only address you should be using to reach the FW is via its natted public address, so if your advertisng the internal network then remove that advertsiement and test again.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vking02 · ‎03-05-2021

Thanks Paul, I am not advertising the internal network.

Richard Burts · ‎03-04-2021

Your follow up question describes issues accessing the gui and the inside network losing Internet access. I am not clear how the screen shot relates to either of those. It shows a ping to an Internet resource where most of the ping requests get responses and some ping requests do not get responses.

When you attempt access to GUI and it does not work can you check the logs of both the router and the firewall and see if there are any messages that might relate to your attempt?

HTH

Rick

Vking02 · ‎03-05-2021

I have carried out some packet capture on the firewall and can see a lot of TCP retransmission / TCP Duplicate ACK and TCP previous segment not captured.

I am not sure if this is the cause of the slowness when trying to log into the GUI ?

Also, after I attempted to login I can see load of TLSv1.2 with "Ignored known record"