09-07-2010 11:18 AM - edited 03-04-2019 09:41 AM
Perhaps someone could help me with a policy nat issue
Routing to default gateway when the traffic cam from a different firewall
My configuration is
ISP1 -- --> FW1 -- --> RTR1 -- --> L3 SWITCH <-- -- -- -- -- -- --> SERVER1
|
|
ISP2 -- --> FW2 -- -- -- -- -- -- -- -- -- -- -->
IP Addresses ( examples )
ISP1 - 212.10.10.0/27
ISP2 - 208.10.10.0/27
FW1 out - 212.10.10.1/24
FW2 out - 208.10.10.10/24
FW1 in - 192.168.0.10/24
FW2 in - 192.168.1.10/24
RTR1 inside - 192.168.1.11/24
RTR1 outside - 192.168.0.11/24
SERVER 192.168.1.220/24
SWITCH is a layer 3 switch with multiple VLANS and route-map policies to route between VLANS and choose gateway based on VLAN.
The router has NAT enable and a translation for 192.168.0.220 --- static map to --> 192.168.1.220 with a machine in the 192.168.0.x netork I can view a test web server on 192.168.1.220. Anything outside FW1 cannot get the web server even with all static and nat command working.
Please coudl someone helpme with this
G
Solved! Go to Solution.
09-08-2010 06:01 AM
Hello,
Please try the following on the FW1 (PIX):
access-list pnat permit ip any host "server private ip"
access-list pnat permit ip any host "server public ip"
global (inside) 1 interface
nat (outside) 1 access-list pnat
If you are mapping the server port to the external IP of the PIX itself,
then,
access-list pnat permit tcp any host "server private ip" eq "port"
access-list pnat permit ip any host "server public ip" eq port
global (inside) 1 interface
nat (outside) 1 access-list pnat
This should nat all incoming requests to the interface IP of the PIX.
Hope this helps.
Regards,
NT
09-07-2010 12:06 PM
Dear Glenn,
The first thing which create a doubt in my mind is the gateway on Server, as Rtr, FW2 and Server all in same subnet Switch is basically being transparent.
So now what gateway is configured on Server it will depend on that.
Another thing as per standards usually Server are configured with 2 NIC's so that one NIC can be configured as part of FW1 and another one as part of FW2, so natting becomes easy and also availability of server from both ISP links are easy to achieve.
Probably it's something to do with Server gateway.
HTH.....
Regards,
Mangesh.
09-07-2010 03:34 PM
Mangesh,
Thank you for your reply. The server's gateway is FW2 192.168.1.10/24. To give you a bit more information The ISP2 and FW2 are part of the existing setup and the ISP1 is a link for a new provider that we plan to migrated to. Because there are so many servers that and numerous VHOST configurations on these servers I cannot just do a cut over migration from one ISP to the new ISP. There are around 200 DNS records that have to be moved over to the new range.
I have alos tried using the two NIC's in the servers with no luck so am looking at other options
So the FW1, RTR1 was put in to try and accomplish a gradual migration.
Thank you in advance
Glenn
09-07-2010 12:07 PM
Usually a fault tolerant firewall pair is placed between the Internet router and the data center/campus L3 switch in order to avoid the problem you are describing. Firewalls use 'stateful inspection' to prevent unsolicited connections from the Internet. Two separate firewalls will not be aware of each others state; therefore a return packet to a firewall that didn't originate the flow will fail.
In addition to placing the firewalls between the routers and the L3 switch; firewall 'transparent mode' is a good idea vs. routed mode.
Chris
09-07-2010 03:35 PM
Chris,
That is how our topology will look once we have been able to migrate over to our new IP range / ISP
09-07-2010 07:07 PM
Hello,
What kind of firewall we are looking at? What will be your default gateway?
The best option for us would be to use destination NAT along with source
NAT. NAT all traffic entering from the internet through the second ISP to
the inside interface IP of the second firewall. This way, the server thinks
that the request is from the second firewall and will send the reply
directly to the second firewall. The second firewall will then translate the
IP back to corresponding internet IP.
Hope this helps.
Regards,
NT
09-08-2010 02:01 AM
Nagaraja,
FW2 is a Cisco ASA 5520 v7.0 and FW1 is a Cisco Pix v6.3.
All the servers gateway is the Layer 3 switch VLAN ipaddress which has a route-map to direct route 0.0.0.0/0 traffic to FW2.
What you suggested is what I am trying to achieve please could you guide me as how to achieve this
09-08-2010 06:01 AM
Hello,
Please try the following on the FW1 (PIX):
access-list pnat permit ip any host "server private ip"
access-list pnat permit ip any host "server public ip"
global (inside) 1 interface
nat (outside) 1 access-list pnat
If you are mapping the server port to the external IP of the PIX itself,
then,
access-list pnat permit tcp any host "server private ip" eq "port"
access-list pnat permit ip any host "server public ip" eq port
global (inside) 1 interface
nat (outside) 1 access-list pnat
This should nat all incoming requests to the interface IP of the PIX.
Hope this helps.
Regards,
NT
09-08-2010 08:53 AM
Nagaraja,
That did not work for me
Ok my pix looks like so:
access-list in_outbound permit ip 192.168.0.0 255.255.255.0 any
access-list in_outbound permit ip 192.168.1.0 255.255.255.0 any
access-list outside_in permit tcp any host 212.10.10.22 eq 3000
access-list pnat permit ip any host 192.168.1.28
access-list pnat permit ip any host 212.10.10.22
ip address outside 212.10.10.1 255.255.255.224
ip address inside 192.168.0.10 255.255.255.0
global (outside) 1 interface
global (inside) 1 interface
nat (outside) 1 access-list pnat 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) 212.10.10.22 192.168.1.28 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group in_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 212.10.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.0.11 1
The router config is just to route the 192.168.0.1 and192.168.0.0 traffic between one another so basic config of
ip routing
eth0 - 192.168.0.11/24
eth1 - 192.168.1.11/24
ip route 0.0.0.0 0.0.0.0 192.168.0.10
09-09-2010 01:58 AM
Thank you all for your help.
Nagaraja you guided me on the correct path but I had to add a outside option to the nat command to make this work. I think this may be for PIX only
nat (outside) 1 access-list pnat outside
All working now and thank you again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide