cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
999
Views
4
Helpful
17
Replies

Static Nat

sureshkumar
Level 1
Level 1

Hi,

ISP--R1--Firewall--R2--R3--Pc(webserver)

ISP is terminated in the R1 router.To provide internet for users, Dynamic NATing are given in the rotuer(R1) level itself.R1 F0 ip is primary public ip and Secondary ip is private ip which is terminated in the Firewall interface(Private ip)..Now i need to privide Static Nat for my webserver.Is it possible to do it in Firewall..I think we can't....i have to do only in the router..

17 Replies 17

abinjola
Cisco Employee
Cisco Employee

well the public ip address would be translated on router to firewall interface ip/or any other free ip from that pool and then on firewall we need

static (inside,outside) tcp interface/ip 80 80

access-l abc permit tcp any host interface eq 80

access-g abc in interface outside

Hi,

Always u r response very helpfull for me.Thanks again and again.So As per my senario i require 2 public ip's to do Nat in firewall(1 firewall interface and 1 for Static Nat)..But i have one free ip only..So i did Static Nat in router level itself..Let me explain my problem

My firewall is in Data center(DC)..Webserver is in branch as i said in the diagram.If i place in the webserver in DC i can access from outside..but if i place the webserver in branch(R3 router) i m unable to access from outside(getting connections in firewall(saAB))..I think some routing issue..As per current setup we have route in router to connect DC network.I think we have to add route in router like the request from internet need to go to outside(Kindly let me know the route)..Provide me ur valuable information

Hi,

Kindly provide me solution as soon.

you don't need 2 free IPs..you can do static PAT using firewalls outside IP

Thanks..As per now i can't change interface ip of firewall.so i did already in router..but unable to access from outside..some routing issues are there still..Can u plz help me out..

to what ip address is router translating the request to ?

Give me the sh run static/sh static output, sh run access-group

Hi,

Pix Fw(535)--3 interface(inside, outside, branch)

3 Routers(R1,R2 and R3)

Webserver--in brach(R3)

In beteween R2 and R3---OSPF--Is there anything need to add?

R1--NAT, PAT and routes( Default towards Serial int, Network based towards Firewall Int)

Pix--(Acl from out to in, Default route towards outside, network routes towards branch and inside, nonat for translation in higher Security interface)

If i access from outside to webserver i m finding conn in firewall( conn status : saAB)..Even i m finding the outsid world ip in my webserver log also..Some return traffic flow is not happening..

Hi,

In R1

#sh run | incl static

Ip nat outside static 172.x.x.x 203.x.x.x

Rest of the things unable to do.

Suresh..as a test allow icmp through the firewall and ping the web server, also can you ping the webserver from the firewall..?

Can you tell me the real ip address of the web server ? if possible post your config here

Hi,

Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..

TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB

TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB

TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB

I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....

Hi,

kindly ignore the previous post..attachment is not there

Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..

TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB

TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB

TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB

I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....

Attachment Keywords :

config looks good...are we able to ping the webserver from the firewall ?

can you get me sh ip route from both r2 and r3 ?

Hi,

Unable to ping the webserver from firewall..

But i can ping R3 router from R1 and from R1 to R3...

Kindly find the atached file R2 ad R3...In R3 no static routes..as i said before OSPF..

from webserver can you ping R1..?

run debug icmp trace on firewall while you initiate a ping from webserver to R1 and 4.2.2.2 simultaneously

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: