Re: Problem with NAT

william.tituana · ‎01-26-2009

Hi,

I have these case:

I'm attaching a diagram where appear a simple interconetion:

I have a host with a private IP address, which is being routed to manage purpose.

I want to configure an overload nat, just because i need the bluecoat device contact a site in Internet but no one could contact the blucoat from internet.

Problem is that i manage the bluecoat usign its private IP address, and it responds wery well if don't configure NAT. When I configure NAT, bluecoat can access to internet but i cannot manage it because its internal IP address do not respond.

is there an aditional command or any suggestion that i could configure in router, to get that internal ip of bluecoat responds to ping and ssh, although it is being nated in router?

this is part of router A configuration:

interface GigabitEthernet0/0

ip nat outside

!

interface GigabitEthernet0/0

ip address 192.168.199.1 255.255.255.248

ip nat inside

!

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 11 pool BLUECOAT overload

!

access-list 11 permit 192.168.199.2

!

regards,

pauloroque · ‎01-26-2009

Yes. Just exclude your management addresses from the nat list. Your acl should be like this:

access-list 11 deny ADMINISTRATOR_NETWORK.

access-list 11 permit 192.168.199.2

PRoque

william.tituana · ‎01-26-2009

Hi paulo, thanks for your answer, I tryed the configuration but it still doesn't work.

My managment IP address is a public IP. when i don't configure NAT, private IP address of bluecoat responds ping and ssh. but it doesn't respond if i configure NAT.

Any other suggest?

Thanks

viyuan700 · ‎01-26-2009

access-list 11 permit 192.168.199.2

i think the above command is not complete and can be reason for the problem as either you define as

access-list 11 permit host 192.168.199.2

access-list 11 permit 192.168.199.2 0.0.0.0 (using wildcard mask)

(single IP)

or

access-list 11 permit 192.168.199.0 0.0.0.255 (Range of IP who are allowed)

Since you are defining overload in your case i think you have to give wildcard mask to define a range for IP

vaisharm · ‎01-27-2009

William,

If you want to access BLUECOAT using the public IP, configure NAT as below:

!

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 11 pool BLUECOAT overload

ip nat inside source static tcp 192.168.199.2 22 200.25.194.133 22

!

access-list 11 permit 192.168.199.2

!

However, if you want to access BLUECOAT using the private IP, try this:

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 111 pool BLUECOAT overload

!

access-list 111 deny tcp host 192.168.199.2 eq 22

access-list 111 permit ip host 192.168.199.2 any

!

HTH,

~Vaibhav

william.tituana · ‎01-28-2009

thank you Vaibhav,

but it didn't work :-(

when I configure nat, bluecoat can access internet, but i cannot manage it using its internal private IP address

regards

vaisharm · ‎01-29-2009

William, I have recreated this and it worked fine for me. I was able to successfully ssh to the bluecoat device IP - 192.168.199.2 from the Admin device. I hope you have the routing set correctly.

Did you change the ACL and the source list to 111 and have you removed all other NAT statements?

---------

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 111 pool BLUECOAT overload

access-list 111 deny tcp host 192.168.199.2 eq 22 host

access-list 111 permit ip host 192.168.199.2 any

---------

If it still does not work, initiate SSH from the Admin box and capture 'debug ip nat' from the NAT router. If you see hits for ssh traffic, it would mean that the NAT ACL is not denying the ssh traffic from getting NATted

Regards

~Vaibhav