Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
4
Replies

Static PAT/ACL help

tahirs001
Level 1
Level 1

‎04-15-2010 03:08 AM - edited ‎03-11-2019 10:33 AM

Hello,
I have a client that needs access to a particular server on the DMZ from the outside Interface - I have created a static PAT statement 1200 translated to 1200 (I have created the 1200 port so they can access this particular server) and created an access-list from outside to the DMZ. When i run packet tracer it fails at the last part at the NAT.

Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.
Config
static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2
nat-control match tcp DMZ host 2.2.2.2eq 1200
Outside host 80.80.80.80 static translation to 90.90.90.90/1200 translate_hits = 0, untranslate_hits = 11
config;
static (DMZ,Outside) tcp interface 1200 access-list DMZ_nat_static_2
access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 host 2.2.2.2 host 80.80.80.80
access-list DMZ_nat_static_2 extended permit tcp host 2.2.2.2. host eq 1200 host 80.80.80.80
access-list Outside_access_in extended permit tcp host 80.80.80.80 host 2.2.2.2 
Not sure if the above access-list/PAT are correct
Thanks

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-15-2010 03:17 AM

Doesn't look correct.

Can you please advise what is the ip address of the outside interface, and the ip address of the DMZ server?

0 Helpful

tahirs001
Level 1
Level 1
In response to Jennifer Halim

‎04-15-2010 04:08 AM

I will give made up IP

Remote IP:  22.22.22.22

My outside IP: 11.11.11.11

My DMZ Server: 33.33.33.33

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to tahirs001

‎04-15-2010 05:07 AM

OK, base on the following information:

Remote IP:   22.22.22.22

My outside IP: 11.11.11.11

My DMZ Server: 33.33.33.33

You can configure the following:

static (DMZ,Outside) tcp interface 1200 33.33.33.33 1200 netmask 255.255.255.255

access-list Outside_access_in permit tcp host 22.22.22.22 host 11.11.11.11 eq 1200

I assume you already have the following:

access-group Outside_access_in in interface outside

OR/ alternatively if you need to be very specific that only traffic from 22.22.22.22 needs to be translated, then the following:

access-list DMZ-NAT permit tcp host 33.33.33.33 eq 1200 host 22.22.22.22 eq 1200

static (DMZ,Outside) tcp interface 1200 access-list DMZ-NAT

0 Helpful

tahirs001
Level 1
Level 1
In response to Jennifer Halim

‎04-15-2010 05:17 AM

Thanks, I will give that a bash

I have sent you a PM. Can you have a look please?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card