Static Nat

Unanswered Question

Hi,


ISP--R1--Firewall--R2--R3--Pc(webserver)


ISP is terminated in the R1 router.To provide internet for users, Dynamic NATing are given in the rotuer(R1) level itself.R1 F0 ip is primary public ip and Secondary ip is private ip which is terminated in the Firewall interface(Private ip)..Now i need to privide Static Nat for my webserver.Is it possible to do it in Firewall..I think we can't....i have to do only in the router..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
abinjola Sat, 02/23/2008 - 06:40
User Badges:
  • Cisco Employee,

well the public ip address would be translated on router to firewall interface ip/or any other free ip from that pool and then on firewall we need


static (inside,outside) tcp interface/ip 80 80


access-l abc permit tcp any host interface eq 80

access-g abc in interface outside

Hi,


Always u r response very helpfull for me.Thanks again and again.So As per my senario i require 2 public ip's to do Nat in firewall(1 firewall interface and 1 for Static Nat)..But i have one free ip only..So i did Static Nat in router level itself..Let me explain my problem


My firewall is in Data center(DC)..Webserver is in branch as i said in the diagram.If i place in the webserver in DC i can access from outside..but if i place the webserver in branch(R3 router) i m unable to access from outside(getting connections in firewall(saAB))..I think some routing issue..As per current setup we have route in router to connect DC network.I think we have to add route in router like the request from internet need to go to outside(Kindly let me know the route)..Provide me ur valuable information


abinjola Mon, 02/25/2008 - 06:52
User Badges:
  • Cisco Employee,

you don't need 2 free IPs..you can do static PAT using firewalls outside IP

abinjola Mon, 02/25/2008 - 07:36
User Badges:
  • Cisco Employee,

to what ip address is router translating the request to ?

Give me the sh run static/sh static output, sh run access-group


Hi,


Pix Fw(535)--3 interface(inside, outside, branch)


3 Routers(R1,R2 and R3)


Webserver--in brach(R3)


In beteween R2 and R3---OSPF--Is there anything need to add?


R1--NAT, PAT and routes( Default towards Serial int, Network based towards Firewall Int)


Pix--(Acl from out to in, Default route towards outside, network routes towards branch and inside, nonat for translation in higher Security interface)


If i access from outside to webserver i m finding conn in firewall( conn status : saAB)..Even i m finding the outsid world ip in my webserver log also..Some return traffic flow is not happening..


abinjola Tue, 02/26/2008 - 04:54
User Badges:
  • Cisco Employee,

Suresh..as a test allow icmp through the firewall and ping the web server, also can you ping the webserver from the firewall..?


Can you tell me the real ip address of the web server ? if possible post your config here

Hi,


Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..


TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB

TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB

TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB


I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....



Hi,


kindly ignore the previous post..attachment is not there


Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..


TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB

TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB

TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB


I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....




Attachment Keywords :


abinjola Tue, 02/26/2008 - 07:59
User Badges:
  • Cisco Employee,

config looks good...are we able to ping the webserver from the firewall ?

can you get me sh ip route from both r2 and r3 ?

abinjola Wed, 02/27/2008 - 04:16
User Badges:
  • Cisco Employee,

from webserver can you ping R1..?

run debug icmp trace on firewall while you initiate a ping from webserver to R1 and 4.2.2.2 simultaneously

abinjola Wed, 02/27/2008 - 04:28
User Badges:
  • Cisco Employee,

hey Suresh..the connection detail TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB, clearly indicate that there was no return synack on the firewall back from web server, so either the issue is on WEBSERVER or R2 or R2

Now from WEBserver are you able to ping 4.2.2.2 through the firewall ? do you see these ICMPs request and replies in debug icmp trace ?


I don't see a DG on R2..??how would R2 know where to send the return packet ...


Actions

This Discussion