12-18-2020 12:47 AM
Hello everyone.
I have a situation like this:
I have a pool of public addresses. x.x.98.126/30
the whole pool is used for different services and servers.
x.x.98.126 -I used for regular users.
the problem is that port forwarding is configured for the given IP (x.x.98.126) address not working.
eg x.x.98.133- everything works all forwards.
I also have VPN-anyconnect on x.x.98.126 - it also does not work.
but if I visit myip.com here it shows me that I have x.x.98.126.
strange what's going on.
who can help fix and suggest what happened?
Solved! Go to Solution.
12-20-2020 11:58 PM
Hello,
basically, what you need to do is create the 'pat-pool' object that your NAT statements are referring to:
nat (INSIDELINK,outside) source dynamic X.X.0.0 pat-pool interface
nat (INSIDELINK,outside) source dynamic inside_network pat-pool interface
nat (INSIDELINK,outside) source dynamic X.X.100.0 pat-pool interface
nat (INSIDELINK,outside) source dynamic X.X.101.0 pat-pool interface
nat (INSIDELINK,outside) source dynamic X.X.102.0 pat-pool interface
This object is not in your configuration, add it:
object network pat-pool
range x.x.98.127 x.x.98.132
12-18-2020 12:55 AM
Hello,
--> I have a pool of public addresses. x.x.98.126/30
If that is your address pool, only addresses x.x.98.127 and x.x.98.128 would be available. Can you clarify ?
12-18-2020 12:55 AM
If you are using this IP ( (x.x.98.126) )for NAT going outside network for you LAN, then we may need to understand configuration before we suggest something here so please do post the full configuration to undertand.
Rest other IP address working because there no issue with that IP since it as not used.
12-18-2020 01:16 AM
HI balaji.bandi
I have put some screenshots. if this is not enough, you can tell what kind of information to provide you. I'll post it all.
12-18-2020 01:28 AM
Hello,
since you are using FMC, I assume you are trying to configure either an ASA or a Firepower device ? Either of those has a CLI and the 'sh run' command, post the output of that...
12-18-2020 01:53 AM - edited 12-18-2020 02:24 AM
12-18-2020 03:52 AM
Hello,
I cannot find the network object 'pat-pool' anywhere in your configuration ? You are referring to that object in several NAT statements, make sure it is actually defined..
12-18-2020 05:06 AM
Thank you for your prompt reply.
Forgive me, I'm not a high-level specialist. You probably already guessed it.
Do I need to do this?
12-18-2020 05:17 AM
Hello
@Bahodir Mirzakamalov wrote:Forgive me, I'm not a high-level specialist. You probably already guessed it.
Do I need to do this?
I would be careful then as this looks like it a production FW and as such if you dont know what your are doing then you could cause an outage - Document any changes you make so you can at least backout if need be, if something you apply doesn't work then don't leave it and try and add another avenue remove that last change and then proceed.
Make sure you have a change window for any changes so at least your covered if the worst happens.
12-18-2020 05:21 AM - edited 12-18-2020 05:22 AM
Hello,
all of the (dynamic, since there are no static) NAT translations that go out the 'outside' interface, as well as the VPN, are referring to a non-existing network object named 'pat-pool'. That means nothing that uses your x.x.98.126 address will work. You need to create the network object and put whatever you need in there.
12-20-2020 08:42 PM
ERROR
12-18-2020 05:02 AM
Hello
@Bahodir Mirzakamalov wrote:
Hello everyone.
I have a situation like this:
I have a pool of public addresses. x.x.98.126/30
the whole pool is used for different services and servers.
x.x.98.126 -I used for regular users.
the problem is that port forwarding is configured for the given IP (x.x.98.126) address not working.
eg x.x.98.133- everything works all forwards.
I also have VPN-anyconnect on x.x.98.126 - it also does not work.
but if I visit myip.com here it shows me that I have x.x.98.126.
Doesn't make sense those two highlighted addresses are in deferent subnenetworks?
What single ip address are you using i assume its x.x.98.126/30 for all egress traffic even specific port address translation?
12-20-2020 08:27 PM
Thanks to all. it was a weekend and there was no access to equipment. today I will continue to understand, taking into account all the recommendations above.
I just do not understand what exactly I need to do. Can anyone advise what exactly I should try to do?
12-20-2020 11:58 PM
Hello,
basically, what you need to do is create the 'pat-pool' object that your NAT statements are referring to:
nat (INSIDELINK,outside) source dynamic X.X.0.0 pat-pool interface
nat (INSIDELINK,outside) source dynamic inside_network pat-pool interface
nat (INSIDELINK,outside) source dynamic X.X.100.0 pat-pool interface
nat (INSIDELINK,outside) source dynamic X.X.101.0 pat-pool interface
nat (INSIDELINK,outside) source dynamic X.X.102.0 pat-pool interface
This object is not in your configuration, add it:
object network pat-pool
range x.x.98.127 x.x.98.132
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide