U-Turning Bi-Directional NAT

Unanswered Question

I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my 172.17.150.0/24 subnet to browse the website on 69.90.71.85 ;

static (outside,inside) 69.90.71.85 172.17.150.23 255.255.255.255

It simply will not seem to work. Can anyone lend some assistance?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pstebner1 Wed, 06/13/2007 - 09:43

David-

Which is your inside network? Is it the 172.x.x.x and the 69.x.x.x website is on the internet?

I'm not exactly sure what you are trying to do, but it looks like your static is backwards, and you cannot statically translate a /24 subnet to one ip address.

Perhaps a little more explanation?

Thanks,

Paul

acomiskey Wed, 06/13/2007 - 09:45

I think he has something like this

static (inside,outside) 69.90.71.85 172.17.150.23 255.255.255.255

and he is trying to hit http://69.90.71.85 from a client 172.17.150.x on the inside.

Is this correct?

pstebner1 Wed, 06/13/2007 - 09:56

Yep, Mr. Comiskey is correct. That dns doctoring link should take care of you.

Regards,

Paul

acomiskey Wed, 06/13/2007 - 10:20

Are you sure you wrote it correctly, that should not have happened. I think you would want...

static (inside,inside) 69.90.71.85 172.17.150.23 255.255.255.255

You also need the same-security-traffic permit intra-interface etc.

Anyway, pay close attention to where it says...

"For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."

You will run into a problem here as you are running 7.0.

pstebner1 Wed, 06/13/2007 - 10:20

Don't forget to enable hairpinning by issuing the

same-security-traffic permit intra-interface

command first.

HTH,

P

Thanks everyone for your responses.

The solution was provided by Sanjeev Pabbi;

same-security-traffic permit intra-interface

static (inside,outside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 172.27.150.200 172.17.150.200 netmask 255.255.255.255

Explanation:

because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.

Second command will allow you web Server with private IP as 172.17.150.23 to appears as Public IP 69.90.71.85 to oustside world ( Not inside users)

Assuming the Client on inside network with IP 172.17.150.200, when it try to access the web site by public IP 69.90.71.85 - Third command translates the Web Server Public IP to Private IP.

Fourth command does the source translation converting the original Client IP 172.17.250.200 to a fake non existing IP 172.27.250.200 ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never reaches there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from 172.27.150.200 NOT 172.17.150.200

acomiskey Thu, 06/14/2007 - 07:09

Instead of the fourth one you could just do...

global (inside) 1 interface

nat (inside) 1 0 0

then you don't have to have a static statement for each client.

Actions

This Discussion