03-03-2021 06:13 AM
Hi all,
I am doing some self-paced studying on EVE-NG but stuck on few things.
I was wondering if anyone can help.
ISP router IP: 172.16.5.21
My currently setup
ISP > Cisco Router > FW > 2 zones > 1 PC in each zone (Inside/DMZ)
Cisco Router has 2 IP
- facing ISP router
interface FastEthernet0/0
ip address 172.16.5.96 255.255.252.0
ip nat outside
ip virtual-reassembly
duplex full
- facing FW.
interface FastEthernet3/0
ip address 192.168.99.1 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex full
currently doing NAT
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip any any
With 1 Default Gateway
ip route 0.0.0.0 0.0.0.0 172.16.5.21
I currently have NAT enabled and I am able to access the internet from the FW:
On the FW
ethernet1/1 16 1 OUTSIDE vr:VR 0 192.168.99.2/28
I have a static router on FW
destination nexthop metric flags age interface next-AS
0.0.0.0/0 192.168.99.1 10 A S ethernet1/1
VM> ping source 192.168.99.2 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.99.2 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=17.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=14.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=21.5 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=115 time=19.1 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 14.699/18.311/21.571/2.479 ms
==============================
The problem seems to be when I am trying to access the Outside FW address (192.168.99.2) from the 172.16.0.4 network.
- I am unable to HTTP or HTTPS into the FW, I can ping the interface.
Host that sits on a 172.16.4.0 network:
IPv4 Address. . . . . . . . . . . : 172.16.4.4
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 172.16.5.21
Traceroute
C:\Users\Kingg>tracert 192.168.99.2
Tracing route to 192.168.99.2 over a maximum of 30 hops
1 1 ms 1 ms 1 ms [172.16.5.21]
2 14 ms 10 ms 9 ms 172.16.5.96
3 25 ms 19 ms 20 ms 172.16.5.96
- Not sure why there are 2 hop with same IP.
>ping 192.168.99.2
Pinging 192.168.99.2 with 32 bytes of data:
Reply from 172.16.5.96: bytes=32 time=24ms TTL=63
Reply from 172.16.5.96: bytes=32 time=21ms TTL=63
Reply from 172.16.5.96: bytes=32 time=14ms TTL=63
Reply from 172.16.5.96: bytes=32 time=14ms TTL=63
Ping statistics for 192.168.99.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 24ms, Average = 18ms
- I am not sure why i am getting a response from 172.16.5.96
====================
With NAT disabled:
- I am able to HTTP and HTTPS into the outside FW address (192.168.99.2)
- The only problem with this - I am unable to access the Internet from the FW with NAT disabled.
I needed a solution where I am able to access the Outside interface on the FW (192.168.99.2) from the 172.16.4.0 network.
Dilemma
- With NAT enabled I am able to access the internet but unable to access the FW from 172.16.4.0 network.
- With NAT disabled i cannot access the Internet but i am able to access the 192.168.99.2 access.
If you would like further outputs then please let me know.
Thank you all for your help in advance.
03-03-2021 07:39 AM - edited 03-03-2021 07:40 AM
Hello
@Vking02 wrote:
I needed a solution where I am able to access the Outside interface on the FW (192.168.99.2) from the 172.16.4.0 network.
First of all you need you change the access-list so NAT is only performed on the inside subnet of the nat domain and not on any nat outside domain interfaces
no access-list 100 permit ip any any
access-list 100 permit ip 192.168.99.0 0.0.0.15 any
03-03-2021 08:03 AM
Thank you Paul.
Any idea why I cannot access the FW page from the 172.16.4.0 network?
03-03-2021 09:40 AM
First can you verify that there is a typo in your original post:
The problem seems to be when I am trying to access the Outside FW address (192.168.99.2) from the 172.16.0.4 network.
Is it really the 172.16.4.0 network?
I am not sure that this is the issue, but I have seen some very odd symptoms when NAT is configured using an extended access list which has permit any for the destination (as seems to be the case with your acl 100. I would suggest that you re-write the acl making it a standard access list and modify your nat statement to use the standard acl.
03-03-2021 10:38 AM
Hi Richard,
Many thanks for your reply and Yes, there is a Typo;
it should be 172.16.4.0/22.
I have tried your solution:
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.15
.............
Positive:
I am able to access http/https from 172.16.4.0/22 network
Negative
Lost all internet connectivity.
I am unable to ping out to 8.8.8.8 sourcing it from the port (192.168.99.1) facing the FW.
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/24 ms
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.99.1
.....
Success rate is 0 percent (0/5)
any idea?
03-03-2021 11:31 AM
First thing is that when you changed the acl from extended to standard you also changed the network address. The suggestion for acl 100 was
access-list 100 permit ip 192.168.99.0 0.0.0.15 any
when you changed it this way
access-list 1 permit 192.168.0.0 0.0.0.15
you changed the network it is evaluating. If you try this I believe it will fix the problem of your not having Internet access
access-list 1 permit 192.168.99.0 0.0.0.15
But I now realize that it will not solve your original problem about accessing the firewall from the 172.16.4.0 network. In reading the original post I am now focusing on the attempt to ping the firewall address from the pc connected outside:
>ping 192.168.99.2
Pinging 192.168.99.2 with 32 bytes of data:
Reply from 172.16.5.96: bytes=32 time=24ms TTL=63
The ping was successful and you asked a very key question
I am not sure why i am getting a response from 172.16.5.96
I believe that this is what is going on
- your pc attempts to access the firewall (either ping or http)
- packet gets to the firewall
- firewall generates a response (note that the source address of the response is 192.168.99.2)
- response gets to the router outside interface
- nat sees a packet with source address in the 192.168.99.0 network and translates the source address
- response packet gets to pc with source address of 172.16.5.96
Ping does not really care about the source address not being what was expected and ping is successful. HTTP does care about the source address, it has received a response that does not match what it sent and HTTP does not succeed.
I believe that the solution is to go back to an extended access list and in that acl you will deny any source in 192.168.99.0 and destination in 172.16.4.0 and next line will permit source 192.168.99.0 to any destination like this
access-list 100 deny ip 192.168.99.0 0.0.0.15 172.16.4.0 0.0.3.255
access-list 100 permit ip 192.168.99.0 0.0.0.15 any
03-03-2021 10:48 AM - edited 03-03-2021 10:51 AM
Hello
I have only just realized that you are trying to initiate a connection from the outside nat domain which wont work by default using dynamic port address translation(PAT)
You would need a static pat statement for such connection, Try the following:
ip nat inside source static tcp 192.168.99.2 80 interface fa0/0 80
ip nat inside source static tcp 192.168.99.2 443 interface fa0/0 443
From the outside domain the connection would be
http://172.16.5.96
https://172.16.5.96
03-04-2021 04:44 AM
Hi Both,
I tried both of the suggestions and they are working, however with only one issue. It seems that when I initiate a connection from the outside network - 172.16.4.0, it take a very long time for load the page (tried both solution).
When I do manage to log into the Web GUI, I get a session timed out page.
One other odd thing I noticed was that the network behind the firewall loses Internet connectivity when I initiate the connection to the
FW outside interface - 192.168.99.2 & 172.16.5.96
screenshot attached from the Host sitting behind the FW
I read up that the FW would have this issue when the root space is nearly almost full or full but I have only 47% used, so plenty of space. Just to add, I am able to log into the FW from the inside interface without an issue.
any suggestions?
03-04-2021 05:48 AM
Hello
@Vking02 wrote:
.
One other odd thing I noticed was that the network behind the firewall loses Internet connectivity when I initiate the connection to the
FW outside interface - 192.168.99.2 & 172.16.5.96
The whole purpose ot NAT it to hide the translated network, so you should NOT have reachability from outside hosts to the FWs internal addressing, the only address you should be using to reach the FW is via its natted public address, so if your advertisng the internal network then remove that advertsiement and test again.
03-05-2021 05:32 AM
Thanks Paul, I am not advertising the internal network.
03-04-2021 06:40 AM
Your follow up question describes issues accessing the gui and the inside network losing Internet access. I am not clear how the screen shot relates to either of those. It shows a ping to an Internet resource where most of the ping requests get responses and some ping requests do not get responses.
When you attempt access to GUI and it does not work can you check the logs of both the router and the firewall and see if there are any messages that might relate to your attempt?
03-05-2021 05:31 AM
I have carried out some packet capture on the firewall and can see a lot of TCP retransmission / TCP Duplicate ACK and TCP previous segment not captured.
I am not sure if this is the cause of the slowness when trying to log into the GUI ?
Also, after I attempted to login I can see load of TLSv1.2 with "Ignored known record"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide