cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
11
Replies

U-Turning Bi-Directional NAT

david.morrow
Level 1
Level 1

I've been trying to make this work and have had no luck. I've got a 515E running 7.0(2) and attempted to use this command to allow hosts on my 172.17.150.0/24 subnet to browse the website on 69.90.71.85 ;

static (outside,inside) 69.90.71.85 172.17.150.23 255.255.255.255

It simply will not seem to work. Can anyone lend some assistance?

11 Replies 11

pstebner1
Level 1
Level 1

David-

Which is your inside network? Is it the 172.x.x.x and the 69.x.x.x website is on the internet?

I'm not exactly sure what you are trying to do, but it looks like your static is backwards, and you cannot statically translate a /24 subnet to one ip address.

Perhaps a little more explanation?

Thanks,

Paul

I think he has something like this

static (inside,outside) 69.90.71.85 172.17.150.23 255.255.255.255

and he is trying to hit http://69.90.71.85 from a client 172.17.150.x on the inside.

Is this correct?

This is what you are looking for, dns doctoring or hairpinning with 2 interfaces.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

That's correct.

My inside network is 172.17.150.0/24. The webserver is on 172.17.150.23

I am trying to browse to the public IP 69.90.71.85 from a machine on the inside network.

In order Pix versions, I could use "alias" but apparently that command is no longer valid.

Yep, Mr. Comiskey is correct. That dns doctoring link should take care of you.

Regards,

Paul

Thanks guys, I'll have a close look at that document. I tried to do just the last "nat (inside,inside)" but then lost connection to my webserver from outside...... :)

Are you sure you wrote it correctly, that should not have happened. I think you would want...

static (inside,inside) 69.90.71.85 172.17.150.23 255.255.255.255

You also need the same-security-traffic permit intra-interface etc.

Anyway, pay close attention to where it says...

"For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."

You will run into a problem here as you are running 7.0.

Don't forget to enable hairpinning by issuing the

same-security-traffic permit intra-interface

command first.

HTH,

P

Thanks everyone for your responses.

The solution was provided by Sanjeev Pabbi;

same-security-traffic permit intra-interface

static (inside,outside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 69.90.71.85 172.17.150.23 netmask 255.255.255.255

static (inside,inside) 172.27.150.200 172.17.150.200 netmask 255.255.255.255

Explanation:

because request is initiated from inside the firewall so it hits the INSIDE interface then after the NAT translation Packets have to comeout of the same INSIDE interface towards your LAN, so first command allows packets to enter and leave from the same interface, its a global command.

Second command will allow you web Server with private IP as 172.17.150.23 to appears as Public IP 69.90.71.85 to oustside world ( Not inside users)

Assuming the Client on inside network with IP 172.17.150.200, when it try to access the web site by public IP 69.90.71.85 - Third command translates the Web Server Public IP to Private IP.

Fourth command does the source translation converting the original Client IP 172.17.250.200 to a fake non existing IP 172.27.250.200 ( This step is very important, because without this Web server will receive the incoming packet but for return traffic it will try to go to Client IP directly because its in the same subnet and it never reaches there as it bypasses Firewall) So in the Web server logs it will appear as if request has come from 172.27.150.200 NOT 172.17.150.200

Instead of the fourth one you could just do...

global (inside) 1 interface

nat (inside) 1 0 0

then you don't have to have a static statement for each client.

You need to re-encrypt the traffic from site to site inside the firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: