01-15-2018 09:08 AM - edited 03-05-2019 09:46 AM
Hi All
I have a router running zone based firewall, it is also using PAT on the outside interface.
The firewall has been configured, from OUTSIDE to SELF and permits my management IPs, this seems to work OK.
However when I attach the NAT to the outside interface I can no longer SSH to the router.
However ping still works OK
Any ideas what this could be ?
cheers
01-15-2018 11:36 AM
Hi Carl,
I run a similar configuration, if you attach your running-config I can have a look for you.
01-16-2018 04:48 AM
Hi
I found that the router was Natting the return traffic for some reason, I put a no nat statement by using a deny from the routers public ip to any, this has stopped the NAT
Is this what you did ?
01-16-2018 12:15 PM
No i didn't not on my config, without seeing your config I couldn't be sure we had the same initial setup.
01-16-2018 12:40 PM
01-16-2018 01:02 PM - edited 01-16-2018 01:03 PM
Hello
I guess that works for the ZBFW rtr itself as your able to ssh on to its public facing interface, but if you need to remote access to internal hosts from the internet with NAT then you'll probably need a static nat and a zone-paring from internet to lan for ssh.
res
Paul
01-17-2018 09:28 AM
Hi
Basically on this router, we have a BGP session to the ISP.
If I remove the NO nat ACL from the statement it breaks the BGP session.
What could this be?
The BGP session is too and from the router, I am not sure why doing an nat overload on the same interface is bringing this down.
Do you have any idea why this is?
how have you done it?
cheers
01-17-2018 10:01 AM
01-17-2018 11:05 AM
Hi
No the bgp peering is between the outside interface IP and the ISP, We are doing a PAT from internal networks to the same outside IP for internet access
Any ideas?
01-17-2018 11:26 AM
01-17-2018 12:10 PM
Hi Paul
I have just done a test using GNS3 and it seemed to work OK.
So whats wrong with my router?
One thing I am using in ZBFW, but I allowed tcp/udp/icmp both ways.
could it be this?
I will need to do more testing tmrw
01-17-2018 12:45 PM - edited 01-18-2018 04:44 AM
Hello
Interesting you are allowing tcp/udp both way - I would say this defeats having zbfw active and probably why it seems to work - Are also doing this on your he production rtr ?
Can you confirm how many zones in the zbfw setup you have , the bewlo example uses two.
Note -Without any self zone policy's bgp and nat should work with just the LAN-Internet policy
LAN-Internet
zone security LAN
zone security Internet
class-map type inspect match-any LAN_cm
match protocol tcp
match protocol udp
match protocol icmp
policy-map type inspect LAN
class type inspect ZBFW_cm
inspect
zone-pair security Lan-Internet source LAN destination Internet
service-policy type inspect LAN
Default Nat
ip nat inside source list 110 interface xx overload
access-list 110 permit ip x.x.x.x 0.0.0.255 any
To-From RTR self zone ( rtr host is 10.1.17.1)
class-map type inspect match-any RTR-Self_cm
match protocol tcp
match protocol icmp
match protocol udp
class-map type inspect match-all From-Self_cm
match class-map RTR-Self_cm
policy-map type inspect From-Self_pm
class type inspect From-Self_cm
inspect
access-list 100 permit icmp 10.1.17.0 0.0.0.255 any
access-list 100 permit icmp any host 10.1.17.1 echo <---icmp
access-list 100 deny icmp any any
access-list 100 permit tcp any host 10.1.17.1 eq 22 <---allowing ssh
access-list 100 permit tcp any host 10.1.17.1 eq telnet <---Allowing telnet
class-map type inspect match-all Towards-Self_cm
match class-map RTR-Self_cm
match access-group 100
policy-map type inspect Towards-Self_pm
class type inspect Towards-Self_cm
inspect
zone-pair security LAN-Self source LAN destination self
service-policy type inspect Towards-Self_pm
zone-pair security Internet-Self source Internet destination self
service-policy type inspect Towards-Self_pm
zone-pair security Self-LAN source self destination LAN
service-policy type inspect From-Self_pm
zone-pair security Self-Internet source self destination Internet
service-policy type inspect From-Self_pm
int x/x
description LAN
zone member security LAN
ip nat inside
int x/x
description WAN
zone member security Internet
ip nat outside
Lastly can you post readout of your current ZBFW / NAT configuration
res
Paul
01-17-2018 02:03 PM
Hi Paul
I will get the config tmrw as im away from the office now
I noticed you didn't put a self to outside zone, would we not need this for the BGP? or would the outside in one cover that?
I will try the NVI nat also to see if that fixes it.
I cannot see a reason why its not working at the min without the no nat from the router as it worked in gns3, this is with the firewall disabled also.
If not I will try an IOS upgrade on the router also
01-17-2018 02:22 PM
Hello Carl
Your absolutely correct - apologies i did the initial config from my iphone so I missed it out.-
I have edited now for your review.
res
Paul
01-19-2018 02:24 AM
Hi Paul
FYI, I upgraded the code to the latest Denali image, still did not fix the issue
The Firewall was working fine, it was the PAT causing the issue
Each time the router initiated a TCP session to the ISP on port 179 for BGP, you could see a translation appearing in the table, I have had to leave the NO NAT rule in.
Also it would not let me use the nat enable command, looks like it may have been depreciated.
Many thanks
Carl
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: