05-22-2018 12:52 AM - edited 02-21-2020 07:47 AM
Hi
We have an ISP connection with 2 scopes
x.224/30 and y.232/29
The /30 range is our public outside IP and the incoming /29 traffic is routed to x.226 by the ISP
We have a server on one of the /29 IP's with public DNS assigned.
When i try to access the DNS IP the firewall generates an Deny IP spoof error.
I guess that the problem is that the traffic is routed to the outside x.226/30 interface and then tryes to enter the outside again using an NAT rule - (Everything works when traffic originates outside the house)
I have made an solution where i have an inside DNS server that gives the clients the correct inside IP, but i would rather avoid that because of .....
What would be the correct solution to this problem ?
Best regards
Teddy
Solved! Go to Solution.
05-22-2018 06:20 AM - edited 05-28-2018 03:00 AM
Hi Teddy,
If I understand correctly you are trying to reach a public IP assigned/nated on the outside interface from inside. In that case you could have a NAT in place similar to this one:
same-security-traffic permit intra-interface
!
object network Public_Server
host x.x.x.x
!
object network Internal_Server
host x.x.x.x
!
nat (INSIDE,INSIDE) source dynamic any interface destination static Public_Server Internal_Server
HTH
Bogdan
05-22-2018 06:20 AM - edited 05-28-2018 03:00 AM
Hi Teddy,
If I understand correctly you are trying to reach a public IP assigned/nated on the outside interface from inside. In that case you could have a NAT in place similar to this one:
same-security-traffic permit intra-interface
!
object network Public_Server
host x.x.x.x
!
object network Internal_Server
host x.x.x.x
!
nat (INSIDE,INSIDE) source dynamic any interface destination static Public_Server Internal_Server
HTH
Bogdan
05-28-2018 02:30 AM
Thanks for the reply and sorry for the slow response.
I failed to mention that the server is located on another inside interface.
Would it only be a matter of changing the nat rule "nat (INSIDE,INSIDESERVER)" to reflect the correct names ?
And a side question:
You create 2 network object hosts named Public_server and internal_server - These are not used in the nat rule, so can these be omitted or what is the reason for them?
05-28-2018 03:02 AM
Yes, if the server is on a different interface the nat should be adapted as you indicated.
I have created object Public_Server, but then I went on to use the name Public_IP in the nat. I have corrected the error in my initial reply. Should be ok now.
05-28-2018 11:50 PM
Many thanks
- It worked like a charm
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: