cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
391
Views
0
Helpful
8
Replies

Query on NAT

pokwan
Level 1
Level 1

Hi,

Can advice what is the problem with this configuration. I am trying to nat an external IP from the internet with another IP on the firewall.

Here's the configuration

access-list vpn permit ip host 202.2.2.2 host 203.1.1.1

access-list nonat permit ip any any

nat (outside) 0 access-list nonat outside 0 0

nat (outside) 1 access-list vpn outside 0 0

global (inside) 1 203.3.3.3 netmask 255.255.255.240

TIA

PF

8 Replies 8

Fernando_Meza
Level 7
Level 7

Hi ..

I am not too sure what you are trying to achieve .. If you want to do a one to one mapping and allow inbound traffic from the internet then you need something like this ..

static (inside,outside) netmask 255.255.255.255

access-list outside-in permit any host eq

access-group outside-in in interface outside

Where:

Global IP address: is the address you want the Internet users to connect to.

Local IP address: Is the real address used on the server's NIC

The above lines will allow inbound access from the Internet to the Global IP address using the required ports.

I hope it helps .. please rate helpful posts

Fernando,

What you have is natting an outbound IP Address to another IP Address as it traverses from inside to outside.

What I wanted to do is to nat an inbound IP (from the internet) to an internal IP Address as the traffic comes in from the outside interface. Instead of using the actual IP, I want the IP to change to another IP as it traverse the network as permitted.

TIA.

PF

Hello Poh-Fun,

nat (outside) 0 access-list nonat outside 0 0

With the command above, you tell the router not to nat any traffic as it traverses from outside to inside. It is "any" traffic, so your desired traffic will never ever reach the "nat (outside) 1 access-list vpn outside 0 0" and get translated. Remove the "nat (outside) 0 access-list nonat outside 0 0 " command, and use /32 subnetmask in global statement.

Regards

global (inside) 1 203.3.3.3 netmask 255.255.255.240

Husy,

Thanks very much for your reply. If I remove the statement nat (outside) 0 access-list nonat outside 0 0, other outside users will not be able to access the inside network.

Will it make a difference if I have

nat (outside) 0 0.0.0.0 0.0.0.0 outside in replace of nat (outside) 0 access-list nonat outside ?

TIA

PF

Poh-Fun,

Hmm, try adding the following statement in the first line! of nonat ACL

access-list nonat line 1 deny ip host 202.2.2.2 host 203.1.1.1

Husy,

I have tried that before and it makes no difference. Removing the statement of nat (outside) 0 ... for some reason worked once for some websites. So I removed the statement and renter it again and it didn't work at all... external users cannot access anything on the internal except for the IP I have translated.

I have something similar on the PIX firewall (the above problem was a FWSM) and it works. Here's the config

PIX# sh run | inc nat

nat (outside) 0 access-list nonat outside

nat (outside) 1 access-list vpn outside 0 0

PIX# sh run | inc global

global (inside) 1 192.168.17.9

PIX# sh access-list nonat

access-list nonat; 18 elements

access-list nonat line 1 permit ip any host 202.n.n.150 (hitcnt=53004045)

access-list nonat line 2 permit ip any host 202.n.n.152 (hitcnt=16913986)

access-list nonat line 3 permit ip any host 202.n.n.159 (hitcnt=2182759)

access-list nonat line 4 permit ip any host 202.n.n.160 (hitcnt=43935)

access-list nonat line 5 permit ip any host 202.n.n.161 (hitcnt=5868)

access-list nonat line 6 permit ip any host 202.n.n.163 (hitcnt=3024526)

access-list nonat line 7 permit ip any host 202.n.n.164 (hitcnt=16284)

access-list nonat line 8 permit ip any host 202.n.n.166 (hitcnt=348659)

access-list nonat line 9 permit ip any host 202.n.n.167 (hitcnt=9113)

access-list nonat line 10 permit ip any host 202.n.n.168 (hitcnt=3152444)

access-list nonat line 11 permit ip any host 202.n.n.169 (hitcnt=271793)

access-list nonat line 12 permit ip any host 202.n.n.171 (hitcnt=46280)

access-list nonat line 13 permit ip any host 202.n.n.172 (hitcnt=105019)

access-list nonat line 14 permit ip any host 202.n.n.174 (hitcnt=54859603)

access-list nonat line 15 permit ip any host 202.n.n.179 (hitcnt=0)

access-list nonat line 16 permit ip any host 202.n.n.180 (hitcnt=17722)

access-list nonat line 17 permit ip any host 202.n.n.170 (hitcnt=168883)

access-list nonat line 18 permit ip any host 202.n.n.156 (hitcnt=0)

PIX# sh access-list vpn

access-list vpn; 1 elements

access-list vpn line 1 permit ip any host 202.n.n.133 (hitcnt=264110)

TIA.

PF

I actually coouldnt understand the external users part. Can you explain this a little more? Where is the firewall located?

Husy,

This firewall is to protect the corp network from the internet. We have a client with an external IP when accessing xxx aplication comes in via yyy link into our network. However, when they wanted to use VPN they directed this external IP to come in via our internet link. In order words, depending on application, the external IP will come in from different link.

We have a static route specifically to route this external IP to the yyy link, hence VPN will never work. My idea was to translate this external IP to another IP xxx when it comes into the firewall before traversing the network. With the natted IP xxx, we should not have to worry about the external IP being routed to yyy.

TIA

PF

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: