cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
986
Views
0
Helpful
9
Replies

Two firewalls static translation to one server return path issue

Glenn R
Level 1
Level 1

Perhaps someone could help me with a policy nat issue

Routing to default gateway when the traffic cam from a different firewall

My configuration is

ISP1 -- -->   FW1   -- -->  RTR1 -- --> L3 SWITCH <-- -- -- -- -- -- --> SERVER1

                                                             |

                                                             |

ISP2 -- -->   FW2  -- -- -- -- -- -- -- -- -- -- -->

IP Addresses ( examples )

ISP1 - 212.10.10.0/27

ISP2 - 208.10.10.0/27

FW1 out - 212.10.10.1/24

FW2 out - 208.10.10.10/24

FW1 in - 192.168.0.10/24

FW2 in - 192.168.1.10/24

RTR1 inside   - 192.168.1.11/24

RTR1 outside - 192.168.0.11/24

SERVER 192.168.1.220/24

SWITCH is a layer 3 switch  with multiple VLANS and route-map policies to route between VLANS and choose gateway based on VLAN.


The  router has NAT enable and a translation for 192.168.0.220 --- static  map to --> 192.168.1.220 with a machine in the 192.168.0.x netork I  can view a test web server on 192.168.1.220. Anything outside FW1 cannot  get the web server even with all static and nat command working.

Please coudl someone helpme with this

G

1 Accepted Solution

Accepted Solutions

Hello,

Please try the following on the FW1 (PIX):

access-list pnat permit ip any host "server private ip"

access-list pnat permit ip any host "server public ip"

global (inside) 1 interface

nat (outside) 1 access-list pnat

If you are mapping the server port to the external IP of the PIX itself,

then,

access-list pnat permit tcp any host "server private ip" eq "port"

access-list pnat permit ip any host "server public ip" eq port

global (inside) 1 interface

nat (outside) 1 access-list pnat

This should nat all incoming requests to the interface IP of the PIX.

Hope this helps.

Regards,

NT

View solution in original post

9 Replies 9

mangesh.kamble
Level 1
Level 1

Dear Glenn,

The first thing which create a doubt in my mind is the gateway on Server, as Rtr, FW2 and Server all in same subnet Switch is basically being transparent.

So now what gateway is configured on Server it will depend on that.

Another thing as per standards usually Server are configured with 2 NIC's so that one NIC can be configured as part of FW1 and another one as part of FW2, so natting becomes easy and also availability of server from both ISP links are easy to achieve.

Probably it's something to do with Server gateway.

HTH.....

Regards,

Mangesh.

Mangesh,


Thank you for your reply. The server's gateway is FW2 192.168.1.10/24. To give you a bit more information The ISP2 and FW2 are part of the existing setup and the ISP1 is a link for a new provider that we plan to migrated to. Because there are so many servers that and numerous VHOST configurations on these servers I cannot just do a cut over migration from one ISP to the new ISP. There are around 200 DNS records that have to be moved over to the new range.

I have alos tried using the two NIC's in the servers with no luck so am looking at other options


So the FW1, RTR1 was put in to try and accomplish a gradual migration.

Thank you in advance
Glenn

gatlin007
Level 4
Level 4

Usually a fault tolerant firewall pair is placed between the Internet router and the data center/campus L3 switch in order to avoid the problem you are describing.  Firewalls use 'stateful inspection' to prevent unsolicited connections from the Internet.  Two separate firewalls will not be aware of each others state; therefore a return packet to a firewall that didn't originate the flow will fail.

In addition to placing the firewalls between the routers and the L3 switch; firewall 'transparent mode' is a good idea  vs. routed mode.

Chris

Chris,

That is how our topology will look once we have been able to migrate over to our new IP range / ISP

Hello,

What kind of firewall we are looking at? What will be your default gateway?

The best option for us would be to use destination NAT along with source

NAT. NAT all traffic entering from the internet through the second ISP to

the inside interface IP of the second firewall. This way, the server thinks

that the request is from the second firewall and will send the reply

directly to the second firewall. The second firewall will then translate the

IP back to corresponding internet IP.

Hope this helps.

Regards,

NT

Nagaraja,


FW2 is a Cisco ASA 5520 v7.0 and FW1 is a Cisco Pix v6.3.
All the servers gateway is the Layer 3 switch VLAN ipaddress which has a route-map to direct route 0.0.0.0/0 traffic to FW2.

What you suggested is what I am trying to achieve please could you guide me as how to achieve this

Hello,

Please try the following on the FW1 (PIX):

access-list pnat permit ip any host "server private ip"

access-list pnat permit ip any host "server public ip"

global (inside) 1 interface

nat (outside) 1 access-list pnat

If you are mapping the server port to the external IP of the PIX itself,

then,

access-list pnat permit tcp any host "server private ip" eq "port"

access-list pnat permit ip any host "server public ip" eq port

global (inside) 1 interface

nat (outside) 1 access-list pnat

This should nat all incoming requests to the interface IP of the PIX.

Hope this helps.

Regards,

NT

Nagaraja,

That did not work for me

Ok my pix looks like so:


access-list in_outbound permit ip 192.168.0.0 255.255.255.0 any
access-list in_outbound permit ip 192.168.1.0 255.255.255.0 any
access-list outside_in permit tcp any host 212.10.10.22 eq 3000
access-list pnat permit ip any host 192.168.1.28
access-list pnat permit ip any host 212.10.10.22

ip address outside 212.10.10.1 255.255.255.224
ip address inside 192.168.0.10 255.255.255.0
global (outside) 1 interface
global (inside) 1 interface
nat (outside) 1 access-list pnat 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) 212.10.10.22 192.168.1.28 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group in_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 212.10.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.0.11 1

The router config is just to route the 192.168.0.1 and192.168.0.0 traffic between one another so basic config of

ip routing

eth0 - 192.168.0.11/24

eth1 - 192.168.1.11/24

ip route 0.0.0.0 0.0.0.0 192.168.0.10

Thank you all for your help.

Nagaraja you guided me on the correct path but I had to add a outside option to the nat command to make this work. I think this may be for PIX only

nat (outside) 1 access-list pnat outside

All working now and thank you again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco