When applying a NAT rule, it stops our internet traffic and doesn't work

Unanswered Question

Hi all, In our HQ we have a WAN 2800 router, its LAN Eth0 address is 192.100.100.1 which is the gateway to all remote offices. Also HQ we have a firewall connected to the internet, its LAN Eth0 address is 192.100.100.254. All users on the HQ LAN have their Gateway pointing to he WAN 2800 192.100.100.1. I need to allow all users on the LAN and WAN to use an internet service on TCP port 5631. I need to forward a TCP port 5631 from the WAN 2800 Router 192.100.100.1 to re-direct to the firewall 192.100.100.254. When I applied a NAT rule on the 2800 it completed stops internet traffic, all help will be appreciated.

Kind Regards,

Rob

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Wed, 06/20/2007 - 13:24

Hello,

due to your topology, the 2800 cannot have any role in this design.

Now, if the connection is initiated from the inside to outside, toward port 5631, all the PCs should be able to use it and your firewall will do PAT as necessary. If it does not, please check its configuration.

If the connection is initiated from outside to inside, configure a port forward on the firewall. You will be able to specify one single "inside" address for each TCP port forwarded.

Hope this helps, please rate post if it does!

Hi thanks for the reply.

our requirments is as stated in your first statement. It is from inside to outside, the PCs point to the WAN 28xx router, then we need to re-direct their request to the firewall. The firewall PAT is working fine as if we change the PCs gateway to the firewall it works fine. Can you please provide an example config line required on the 28xx router. Thanks in advance.

Rob

Paolo Bevilacqua Wed, 06/20/2007 - 13:50

Hi,

the 2811 should not change anything in the packet from inside to outside and viceversa. It is strange that if you set the default GW as the FW address it works, but if set to router router, it does not.

The router should just have route 0.0.0.0 0.0.0.0 . Optionally you can set "no icmp redirect" so the router would never tell to PCs to use FW as gateway.

The only thing is that perhaps for some security reason the FW wants to see the packets sourced from PC on the local LAN, come in with the same source MAC address it has in ARP table, thing that would not happen in case you place the router on the same subnet and is used as GW by the PCs.

Actions

This Discussion