nat issues

Unanswered Question

Can someone explain to me what's happening here? When I set up a static nat on my machine on the firewall I'm not able to get out to the internet, if I remove that nat and go over the global pat then everything works fine:



static (inside,outside) 172.18.10.39 10.14.2.39 netmask 255.255.255.255

FW# sh xlate | i 2.39

Global 172.18.10.39 Local 10.14.2.39



Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr 72.14.207.99/0 gaddr 172.18.10.39/0 laddr 10.14.2.39/0


The internet router has these lines:


ip nat inside source list 1 pool public

access-list 1 permit 172.18.10.39

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 04/13/2007 - 09:24
User Badges:
  • Green, 3000 points or more

hi, what are you trying to accomplish.. do you want to have public inbound connections to connect to your local machine.


it seems you are applying the static nat for outside interface using a private ip block 172.18.x.x instead of a public IP address.


usually:

static (inside,outside) publicIP localIP netmask 255.255.255.255 0 0


then your access list to permit inbound connections.


For outbound internet your static NAT which is your public IP should get you internet outbound connections.





yea the firewall is natting to another private block which is our dmz...the router then nats it to a public ip with ip nat inside source list 1 pool public.


List 1 includes both the static nat I created on the firewall and the pat.


really the only reason I want to do this is to tftp configs from the dmz equipment to my machine. I got it working using a policy nat but I'm just wondering why the the static nat I set up earlier wasn't working properly.

tcscadmin Mon, 04/16/2007 - 08:14
User Badges:

Let's see if I understand the topology here. You have an "internet router." That nats a pool of addresses to one host. That router connects the your PIX. This PIX is generally configured for PAT on the outside interface of 172.18.10.39.


When you add the static command, connectivity to the Internet from 10.14.2.39 should work.


But any other host inside that PIX going out to the WWW will not. Always remember that a static command trumps a dynamic in ASA world. It trumps any NAT rules in any ID number. It also trumps NAT 0 rules IIRC.


So what you need to do is do a Static PAT not Static NAT.


This is how it would look if 10.14.2.39 were a Web server.


static (inside,outside) tcp 172.18.10.39 80 10.14.2.39 80. Just pick one port though per Static PAT entry.


Use this in conjuction with your existing dynamic PAT rules.


right...here is the topology:


insidenet - pix - dmz - router - internet



But...I do have a pat already...



global (outside) 1 172.18.10.100

nat (inside) 1 10.14.2.0 255.255.255.0


Everything works fine...however, when I add this line:


static (inside,outside) 172.18.10.39 10.14.2.39 netmask 255.255.255.255


All the other ip's still work obviously...but from 10.14.2.39 I can't access the internet anymore. The router translates both 172.18.10.39 and 172.18.10.100 to our public internet IP, and I verified that it has the right translations.


I did a ping test and I see the pings coming back in the logs:



Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr 72.14.207.99/0 gaddr 172.18.10.39/0 laddr 10.14.2.39/0


I noticed the port numbers are all 0's...when I do a ping test going over the pat it's right:


Apr 16 2007 11:48:35: %PIX-6-302020: Built ICMP connection for faddr 64.233.167.

99/0 gaddr 172.18.10.100/5050 laddr 10.14.2.39/512


Based on the setup and the nat pool on the router the 172.18.10.39 nat should still work...

tcscadmin Mon, 04/16/2007 - 09:49
User Badges:

What logical network is configured in the DMZ network? Where does 10.14.2.39 connect physically?

tcscadmin Mon, 04/16/2007 - 09:55
User Badges:

Is 172.18.10.39 the outside interface of the PIX?


If so, your problem is the Internet router thinks 172.18.10.100 is directly connected to itself in the DMZ. It works in the firewall's case because the firewwall broadcasts the ARP reply for .39 but not for .100.

tcscadmin Mon, 04/16/2007 - 10:09
User Badges:

ip nat inside source list 1 pool public

access-list 1 permit 172.18.10.39

access-list 1 permit 172.18.10.100


It was staring me in the face. Add 172.18.10.100 to this ACL on the Internet Router.

Yea it's already there...i didn't add it to the original post because it's already working, probably should have to be more clear. :)


But yea it's there, 172.18.10.100 and 172.18.10.39 and I verified that both get translated to the public IP with sh ip nat trans.


The weird thing is when I add the 172.18.10.39 static nat to the firewall (and lose internet access)...I can do a tcpdump on a spanned port and I see the icmp traffic coming back to my machine...but my machine shows it as timing out. I guess I should try a to capture those packets on my machine to see what I'm getting. But I'm not sure why I'm getting those /0's in the firewall logs.

Actions

This Discussion