Nat exempt Question

Answered Question

Hi,


I currently have a Static Nat for example ( web1-internal ) to ( web1-external ) - see Static Nat below !!!


Which allows external hosts to connect on a public address and then get translated to the internal address host !!


What l want to do now is permit http traffic from this internal host to outside but for some reason it is not working !!


I have tried adding a nat exempt rule using the inside host translated on the outbound interface with no luck


And also adding a access-list to the inside interface off :


access-list inbound_inside permit tcp host web1 any eq www


The current Static Nat rule is :


static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500



Example IP Addresses


web1 : 172.16.34.208

web1-xlate : 203.14.59.50




Let me know if you need more info or config !!!


Thanks Simon

Correct Answer by Federico Coto F... about 6 years 10 months ago

The internal 172.16.34.208 can't get out to the Internet?

But you said is reachable from the Internet correct?


Is there an ACL applied to the inside interface? You can check with ''sh run access-group''


The other machines on the inside interface have Internet access as well?


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Wed, 06/30/2010 - 18:42
User Badges:
  • Green, 3000 points or more

Simon,


The static NAT that you mention is bidirectional.

This means that it will work for allowing inbound traffic to the public IP and outbound traffic from the server.


To allow outbound traffic nothing needs to be done because it is permitted by default.

(if you already have an ACL applied to the inside interface, then the traffic should be specified to be permitted).


To allow inbound traffic, you should explicitly allow the traffic in the ACL applied to the outside interface.


Federico.

Hi Federico,


I already have a acl on the outside interface :


access-list inbound_outside permit tcp any host web1-xlate eq www


This rule works fine !!


but going the other way with initiating the connection from the internal web1  ( 172.16.34.208 ) to the outside doesn't work.


E.g l want to http to outside from web1 internally but it doesn't work ???


Any more suggestions !!


Thanks for your prompt reply - much appreciated !!


SG

Correct Answer
Federico Coto F... Wed, 06/30/2010 - 19:10
User Badges:
  • Green, 3000 points or more

The internal 172.16.34.208 can't get out to the Internet?

But you said is reachable from the Internet correct?


Is there an ACL applied to the inside interface? You can check with ''sh run access-group''


The other machines on the inside interface have Internet access as well?


Federico.

Actions

This Discussion