cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
555
Views
0
Helpful
11
Replies

External to Internal client, return traffic routed to another firewall

PNI-ITRNP
Level 1
Level 1

OK, here is my scenario: I have one internal client which must be accessed externally, so I have setup an external address. Now we have several remote sites, this particular server resides in our North Carolina office. The site has its own internet connection, however prior to installing this internet connection all internet traffic was routed to our PA Office.

The problem: When I access the internal client over the internet it successfully traverse the firewall in North Carolina, however since internal routers used to point to PA for internet access, the traffic does not go back out our North Carolina firewall, instead it is routed to PA. At which point the firewall in PA drops the packets.

How can I ensure that external traffic reaching the internal client goes back out the same NC firewall instead of being routed to PA?

Can I somehow NAT to the inside interface of the NC Firewall so that when the traffic returns it s routed to the same firewall it came in on? Attached is an image so that it is easier to understand. The image may be simplistic, but the gist of what I am explaining is portrayed.

11 Replies 11

John Blakley
VIP Alumni
VIP Alumni

I'm assuming that the default gateway on the host is the router's address? You may try changing the gateway to be the firewall, or create a route-map on the router that forces all of this host's traffic out of the firewall.

What kind of firewall and router is this?

HTH,

John

HTH, John *** Please rate all useful posts ***

Yes, that is correct. I do not have access to the router config to make any changes, but my Network admin has told me that I can NAT to the inside interface of the firewall this way traffic will flow back out through the same firewall.

The Firewall is PIX v6, the router is also a Cisco router.

Try this config, you will need to test as i have never used policy NAT outside to inside -

Public address of internal client = 195.17.17.10

access-list NATIN permit ip any host 195.17.17.10

Note you can lock down the above acl to TCP/UDP ports rather than general IP.

nat (outside) 2 access-list NATIN outside

global (inside) 2 interface

This should translate the source IP address of all incoming traffic to the inside interface of the pix so when the traffic is sent back from the internal client it is sent to the firewall.

Like i say i have used this config but not with an access-list, so you need to test.

Jon

I totally forgot about this, we also have a DMZ on this NC firewall, how will this affect our DMZ traffic?

OK, I was able to test this Config, and it worked, I was able to get to the inside client and the traffic went back out the same firewall. However, my concern is now the DMZ traffic, because once I added this Config on my test firewall and then checked access to the DMZ servers it timed-out. Which makes sense to me since now the external address is being translated to the inside firewall interface.

You mentioned that you used the Config before, but not with an access-list, is there a way to use the Config for say a single external address instead of a full access-list?

Roberto

"Which makes sense to me since now the external address is being translated to the inside firewall interface."

Doesn't make sense to me because the external addresses should only be translated to the inside interface address when the destination address is 195.17.17.10. Perhaps this is a limitation of outside/inside dynamic NAT.

"is there a way to use the Config for say a single external address instead of a full access-list? "

Not really unless the single external address only ever tries to access 195.17.17.10 otherwise you need to use an acl so that the external address only gets translated when it goes to 195.17.17.10 so your back to the original issue with the config.

It's unclear why DMZ traffic is timing out. With the config i supplied when traffic comes in for 195.17.17.10 the firewall should translate any source IP to the inside interface address.

This assumes 195.17.17.10 is reachable via the inside interface either

1) because that is it's real address

OR

2) the inside device has a private address and you are Natting to 195.17.17.10 eg.

static (inside,outside) 195.17.17.10 192.168.5.10 netmask 255.255.255.255

either way traffic going to the DMZ should not be affected.

Perhaps you could post config. Unfortunately i don't have a pix handy to test with.

Jon

Actually, while your config works for the one client I need, not only does it affect other DMZ traffic; it also affects outgoing internet traffic(?).

But I am little confused because you said in the one post, "This should translate the source IP address of all incoming traffic to the inside of the pix" is it really matching it up to make sure it is only intended for 195.17.17.10 (of course I used my real external, not your example)or is it doing just as you setup in the config and translating all incoming traffic regardless of where it is going on the inside?

"or is it doing just as you setup in the config and translating all incoming traffic regardless of where it is going on the inside ?"

Well that's what the access-list is for. So

nat (outside) 2 0.0.0.0 0.0.0.0 outside

global (inside) 2 interface

the above would translate all incoming source IP addresses to the inside interface ip of the pix providing that the destination IP address was reachable via the inside interface.

the original config i supplied -

access-list NATIN permit ip any host 195.17.17.10

Note you can lock down the above acl to TCP/UDP ports rather than general IP.

nat (outside) 2 access-list NATIN outside

global (inside) 2 interface

should translate all incoming source IP addresses to the inside interface ip of the pix only if the destination is 195.17.17.10. Note the same proviso as above ie. this NAT will only take place if the destination is reachable via the inside interface.

Perhaps you have conflicting NAT setups. Did you "clear xlate" after entering the config ?

Could you post your config ?

Jon

I have attached a txt file with the config, however I have removed unnecessary information to make the config shorter in length and easier to find everything at once. I also removed the actual external addresses.

Roberto

Could you also post

1) the config you added on my suggestion as i assume you have removed it from the config you posted

2) the external IP and the Natted IP that Internet clients are connecting to ?

Jon

I added the config in two different ways:

I used the following:

access-list acl_OUT ip any host 19x.xxx.xxx.161

nat (outside) 1 access-list acl_OUT outside

global (inside) 1 interface

and

access-list NATIN ip any host 19x.xxx.xxx.161

nat (outside) 1 access-list NATIN outside

global (inside) 1 interface

No matter what I tried, although I could access the internal client, it would affect outgoing internet traffic and external traffic headed for the DMZ.

2) the external IP and the Natted IP that Internet clients are connecting to ?

The external IP would be 19x.xxx.xxx.161 the internal IP would be 192.168.180.46.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: