Two firewalls static translation to one server return path issue

Answered Question
Sep 7th, 2010
User Badges:

Perhaps someone could help me with a policy nat issue


Routing to default gateway when the traffic cam from a different firewall


My configuration is


ISP1 -- -->   FW1   -- -->  RTR1 -- --> L3 SWITCH <-- -- -- -- -- -- --> SERVER1

                                                             |

                                                             |

ISP2 -- -->   FW2  -- -- -- -- -- -- -- -- -- -- -->



IP Addresses ( examples )


ISP1 - 212.10.10.0/27

ISP2 - 208.10.10.0/27


FW1 out - 212.10.10.1/24

FW2 out - 208.10.10.10/24


FW1 in - 192.168.0.10/24

FW2 in - 192.168.1.10/24


RTR1 inside   - 192.168.1.11/24

RTR1 outside - 192.168.0.11/24


SERVER 192.168.1.220/24



SWITCH is a layer 3 switch  with multiple VLANS and route-map policies to route between VLANS and choose gateway based on VLAN.


The  router has NAT enable and a translation for 192.168.0.220 --- static  map to --> 192.168.1.220 with a machine in the 192.168.0.x netork I  can view a test web server on 192.168.1.220. Anything outside FW1 cannot  get the web server even with all static and nat command working.


Please coudl someone helpme with this


G

Correct Answer by Nagaraja Thanthry about 6 years 8 months ago

Hello,


Please try the following on the FW1 (PIX):


access-list pnat permit ip any host "server private ip"

access-list pnat permit ip any host "server public ip"


global (inside) 1 interface

nat (outside) 1 access-list pnat


If you are mapping the server port to the external IP of the PIX itself,

then,


access-list pnat permit tcp any host "server private ip" eq "port"

access-list pnat permit ip any host "server public ip" eq port


global (inside) 1 interface

nat (outside) 1 access-list pnat


This should nat all incoming requests to the interface IP of the PIX.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mangesh.kamble Tue, 09/07/2010 - 12:06
User Badges:

Dear Glenn,


The first thing which create a doubt in my mind is the gateway on Server, as Rtr, FW2 and Server all in same subnet Switch is basically being transparent.


So now what gateway is configured on Server it will depend on that.


Another thing as per standards usually Server are configured with 2 NIC's so that one NIC can be configured as part of FW1 and another one as part of FW2, so natting becomes easy and also availability of server from both ISP links are easy to achieve.


Probably it's something to do with Server gateway.


HTH.....


Regards,

Mangesh.

Glenn R Tue, 09/07/2010 - 15:34
User Badges:

Mangesh,


Thank you for your reply. The server's gateway is FW2 192.168.1.10/24. To give you a bit more information The ISP2 and FW2 are part of the existing setup and the ISP1 is a link for a new provider that we plan to migrated to. Because there are so many servers that and numerous VHOST configurations on these servers I cannot just do a cut over migration from one ISP to the new ISP. There are around 200 DNS records that have to be moved over to the new range.


I have alos tried using the two NIC's in the servers with no luck so am looking at other options


So the FW1, RTR1 was put in to try and accomplish a gradual migration.


Thank you in advance
Glenn

gatlin007 Tue, 09/07/2010 - 12:07
User Badges:
  • Silver, 250 points or more

Usually a fault tolerant firewall pair is placed between the Internet router and the data center/campus L3 switch in order to avoid the problem you are describing.  Firewalls use 'stateful inspection' to prevent unsolicited connections from the Internet.  Two separate firewalls will not be aware of each others state; therefore a return packet to a firewall that didn't originate the flow will fail.

In addition to placing the firewalls between the routers and the L3 switch; firewall 'transparent mode' is a good idea  vs. routed mode.



Chris

Glenn R Tue, 09/07/2010 - 15:35
User Badges:

Chris,


That is how our topology will look once we have been able to migrate over to our new IP range / ISP

Nagaraja Thanthry Tue, 09/07/2010 - 19:07
User Badges:
  • Cisco Employee,

Hello,


What kind of firewall we are looking at? What will be your default gateway?

The best option for us would be to use destination NAT along with source

NAT. NAT all traffic entering from the internet through the second ISP to

the inside interface IP of the second firewall. This way, the server thinks

that the request is from the second firewall and will send the reply

directly to the second firewall. The second firewall will then translate the

IP back to corresponding internet IP.


Hope this helps.


Regards,


NT

Glenn R Wed, 09/08/2010 - 02:01
User Badges:

Nagaraja,



FW2 is a Cisco ASA 5520 v7.0 and FW1 is a Cisco Pix v6.3.
All the servers gateway is the Layer 3 switch VLAN ipaddress which has a route-map to direct route 0.0.0.0/0 traffic to FW2.


What you suggested is what I am trying to achieve please could you guide me as how to achieve this

Correct Answer
Nagaraja Thanthry Wed, 09/08/2010 - 06:01
User Badges:
  • Cisco Employee,

Hello,


Please try the following on the FW1 (PIX):


access-list pnat permit ip any host "server private ip"

access-list pnat permit ip any host "server public ip"


global (inside) 1 interface

nat (outside) 1 access-list pnat


If you are mapping the server port to the external IP of the PIX itself,

then,


access-list pnat permit tcp any host "server private ip" eq "port"

access-list pnat permit ip any host "server public ip" eq port


global (inside) 1 interface

nat (outside) 1 access-list pnat


This should nat all incoming requests to the interface IP of the PIX.


Hope this helps.


Regards,


NT

Glenn R Wed, 09/08/2010 - 08:53
User Badges:

Nagaraja,


That did not work for me


Ok my pix looks like so:



access-list in_outbound permit ip 192.168.0.0 255.255.255.0 any
access-list in_outbound permit ip 192.168.1.0 255.255.255.0 any
access-list outside_in permit tcp any host 212.10.10.22 eq 3000
access-list pnat permit ip any host 192.168.1.28
access-list pnat permit ip any host 212.10.10.22

ip address outside 212.10.10.1 255.255.255.224
ip address inside 192.168.0.10 255.255.255.0
global (outside) 1 interface
global (inside) 1 interface
nat (outside) 1 access-list pnat 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) 212.10.10.22 192.168.1.28 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group in_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 212.10.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.0.11 1





The router config is just to route the 192.168.0.1 and192.168.0.0 traffic between one another so basic config of


ip routing


eth0 - 192.168.0.11/24

eth1 - 192.168.1.11/24

ip route 0.0.0.0 0.0.0.0 192.168.0.10

Glenn R Thu, 09/09/2010 - 01:58
User Badges:

Thank you all for your help.


Nagaraja you guided me on the correct path but I had to add a outside option to the nat command to make this work. I think this may be for PIX only


nat (outside) 1 access-list pnat outside


All working now and thank you again

Actions

This Discussion