cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
0
Helpful
2
Replies

FPR1010 NAT to an [inner] Network

TheGoob
Level 4
Level 4

Hello. So I had this same discussion on a different forum and had plenty of help but either I simply did not get it or I did not express it well enough to have no resolution.

 

I am posting/attaching a picture as well and hope that it's description overrules what I am saying here in what I need done.

The FPR has a Block of [6] usable Static IP's. The FPR itself is x.x.x.182 and I have STATIC NAT being used with the other 5.

By default on the FPR, GE 1/2-1-8 are part of vlan1 which is 192.168.1.0 and all use x.x.x.182 as it's Internet.

So, I have an SG500X connected to GE 1/2 and it has GE 1/1 192.168.1.2.

On the SG500X I have 192.168.5.0 vlan and all those hosts use 192.168.1.2 via 'route 0.0.0.0 0.0.0.0 192.168.1.2' as their route to the Internet.

On the FPR1010 I have a 'route 192.168.5.0 255.255.255.0 192.168.1.2' so anything on FPR or GE 1/3-7 would be able to route tho those hosts.

ALL WORKS FINE. BEAUTIFUL.

But, I am having an issue.

I have a device on 192.168.5.43 that is hosting SSH on Port 66. Now this 192.168.5.43 connects to FPR via 192.168.1.2 using 0.0.0.0 0.0.0.0 192.168.1.2 and it does and sees the Internet with the FPR x.x.x.182 WAN IP, which it should.

I have made every variation of NAT and ACL and this and that and backwards etc and NOTHING allows anything [Internet] to connect to x.x.x.182 and be directed to 192.168.5.43 Port 66 SSH.

I have verified the server is running because ANY device on 192.169.5.0 can connect to 192.168.5.43 Port 66 SSH.

 

Now going back, I have 5 other STATIC IP's I have and they have direct NAT, as in, x.x.x.180 NAT TO 192.168.5.55. It is a static nat. I have Port 65 SSH on there and anything 192.168.5.0 AND INTERNET can SSH in.

I have duplicated it's same ACL and NAT but nothing works.

I am wondering if I need 2 NAT's or NO NAT? for my 192.168.5.43? My only thing I see different is x.x.x.180 is STATIC 192.168.5.55 and 192.168.5.43 is part of 192.168.1.0 (which is also x.x.x.182) which is the FPR WAN.

I am sure I have complicated it but hopefully it still makes some sort of sense.

 

 

NATNetwork.jpg

 

2 Replies 2

TheGoob
Level 4
Level 4

Being that 192.168.5.43 is an extension of 192.168.1.2 which has a WAN IP of x.x.x.182 and that 192.168.5.55, though routes through 192.168.1.2, is not an extension of the 192.168.1.0 Network but is STATIC NAT to a WAN of x.x.x.180, do I need a specific more advanced NAT that tells incoming [from WAN] to translate incoming Port 66 to 192.168.1.2 THEN to 192.1687.5.43?

Like I say, 192.168.5.55 is x.x.x.180 via Static NAT but x.x.x.182 is all of 192.168.1.0 [excluding 192.168.5.55]  I just feel I may need an extra NAT or more complicated NAT. 

When WAN incoming SSH is x.x.x.180 PORT 67, The FTD knows "send it to 192.168.5.55" but incoming SSH 66 to 192.168.5.43 has to be told to route through 192.168.1.2? I am possibly even coming up wit more complicated theories in my head and thus may be delving into more confusion. The initial post/question still stands. 

I just find it a joke I have to SSH into a DIFFERENT Server just to telnet back into the other Server because somehow , using the same exact format as the working rules, I can not otherwise.

TheGoob
Level 4
Level 4

Any other opinions?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: