NAT across subnets

Unanswered Question
Jan 12th, 2009
User Badges:

I have two offices in different cities. I'm trying to use an external IP address from an Internet circuit in city A to connect to a website hosted on a server in city B. City A and city B are connected through a P2P T1 WAN line and they are on different subnets.


I have set up the static NAT translation on the firewall in city A to point to the correct IP of the website in city B, and added the IP to my access-list for port 80 access.


When I try to access the site by external IP it times out but I see the access-list statement increment so I know it's being activated. I can open the website internally from either city. I can also ping from the firewall in city A to the website in city B successfully. Is there any way for me to get this to work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Mon, 01/12/2009 - 15:46
User Badges:
  • Silver, 250 points or more

I understand that this may sound trivial, but have you tried to add the reverse in the acl for traffic back from city b?


for instance

permit tcp 10.10.10.0 0.0.0.255 host 63.10.10.10 eq 80

permit tcp host 63.10.10.10 10.10.10.0 0.0.0.255 eq 80


I am not saying this will work but I have had to do this in the past.

Rick Morris Tue, 01/13/2009 - 09:01
User Badges:
  • Silver, 250 points or more

have you done any debugs to see what is being sent and coming back?

qbakies11 Tue, 01/13/2009 - 09:03
User Badges:

I'm a bit embarrassed to say I'm not sure how to do that. I tried viewing the real time log in the ASDM but it didn't give me any useful information.

Rick Morris Tue, 01/13/2009 - 09:11
User Badges:
  • Silver, 250 points or more

no need to be embarrassed, this is the point of the forums to help each other along. There are a lot of smart people on here willing to assist.


I am one of the new guys still learning.


Try this:

ping (remote ip)

then

debug ip packet detail


http://www.cisco.com/en/US/tech/tk801/tk379/technologies_tech_note09186a008017874c.shtml#debugippacket


This will give you a lot of info so you will need to look through the logs. You are looking to see if the icmp made it out and what is responding back, if anything. This will help narrow down which side, or what part of the acl is having the issue.


******DON'T FORGET to do undebug all before you check your logs!!!!!

qbakies11 Tue, 01/13/2009 - 10:13
User Badges:

That command doesn't seem to work on the firewall, I think it is just a router command.

Rick Morris Tue, 01/13/2009 - 10:19
User Badges:
  • Silver, 250 points or more

you are correct. I am sorry I missed that part. Let me get on my firewall and get you the command.

Rick Morris Tue, 01/13/2009 - 10:22
User Badges:
  • Silver, 250 points or more

try debug icmp trace

then make sure to undebug all

sdoremus33 Tue, 01/13/2009 - 12:10
User Badges:
  • Bronze, 100 points or more

If is no trouble could you provide the following


1) The two devices A and B (routers PIX Asa appliances etc..)

2) The ACL you created and the actual nat translation. Thanks


So you are essentially using static nat to xlate the redirected outside ip address srcd from Site to outside interface of the PIX, then redirecting that to an inside address on Site B correct.


Also remeber the order of operation with NAT, and PAT.


Actions

This Discussion