NAT across subnets

qbakies11 · ‎01-12-2009

I have two offices in different cities. I'm trying to use an external IP address from an Internet circuit in city A to connect to a website hosted on a server in city B. City A and city B are connected through a P2P T1 WAN line and they are on different subnets.

I have set up the static NAT translation on the firewall in city A to point to the correct IP of the website in city B, and added the IP to my access-list for port 80 access.

When I try to access the site by external IP it times out but I see the access-list statement increment so I know it's being activated. I can open the website internally from either city. I can also ping from the firewall in city A to the website in city B successfully. Is there any way for me to get this to work?

Rick Morris · ‎01-12-2009

I understand that this may sound trivial, but have you tried to add the reverse in the acl for traffic back from city b?

for instance

permit tcp 10.10.10.0 0.0.0.255 host 63.10.10.10 eq 80

permit tcp host 63.10.10.10 10.10.10.0 0.0.0.255 eq 80

I am not saying this will work but I have had to do this in the past.

qbakies11 · ‎01-13-2009

Thanks for the reply but it didn't help.

Rick Morris · ‎01-13-2009

have you done any debugs to see what is being sent and coming back?

qbakies11 · ‎01-13-2009

I'm a bit embarrassed to say I'm not sure how to do that. I tried viewing the real time log in the ASDM but it didn't give me any useful information.

Rick Morris · ‎01-13-2009

no need to be embarrassed, this is the point of the forums to help each other along. There are a lot of smart people on here willing to assist.

I am one of the new guys still learning.

Try this:

ping (remote ip)

then

debug ip packet detail

http://www.cisco.com/en/US/tech/tk801/tk379/technologies_tech_note09186a008017874c.shtml#debugippacket

This will give you a lot of info so you will need to look through the logs. You are looking to see if the icmp made it out and what is responding back, if anything. This will help narrow down which side, or what part of the acl is having the issue.

******DON'T FORGET to do undebug all before you check your logs!!!!!

qbakies11 · ‎01-13-2009

That command doesn't seem to work on the firewall, I think it is just a router command.

Rick Morris · ‎01-13-2009

you are correct. I am sorry I missed that part. Let me get on my firewall and get you the command.

Rick Morris · ‎01-13-2009

here is a link to check out in the meantime.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1059143

Rick Morris · ‎01-13-2009

try debug icmp trace

then make sure to undebug all

sdoremus33 · ‎01-13-2009

If is no trouble could you provide the following

1) The two devices A and B (routers PIX Asa appliances etc..)

2) The ACL you created and the actual nat translation. Thanks

So you are essentially using static nat to xlate the redirected outside ip address srcd from Site to outside interface of the PIX, then redirecting that to an inside address on Site B correct.

Also remeber the order of operation with NAT, and PAT.