Solved: Re: Nat exempt Question

sgalloway · ‎06-30-2010

Hi,

I currently have a Static Nat for example ( web1-internal ) to ( web1-external ) - see Static Nat below !!!

Which allows external hosts to connect on a public address and then get translated to the internal address host !!

What l want to do now is permit http traffic from this internal host to outside but for some reason it is not working !!

I have tried adding a nat exempt rule using the inside host translated on the outbound interface with no luck

And also adding a access-list to the inside interface off :

access-list inbound_inside permit tcp host web1 any eq www

The current Static Nat rule is :

static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500

Example IP Addresses

web1 : 172.16.34.208

web1-xlate : 203.14.59.50

Let me know if you need more info or config !!!

Thanks Simon

Federico Coto Fajardo · ‎06-30-2010

The internal 172.16.34.208 can't get out to the Internet?

But you said is reachable from the Internet correct?

Is there an ACL applied to the inside interface? You can check with ''sh run access-group''

The other machines on the inside interface have Internet access as well?

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-30-2010

Simon,

The static NAT that you mention is bidirectional.

This means that it will work for allowing inbound traffic to the public IP and outbound traffic from the server.

To allow outbound traffic nothing needs to be done because it is permitted by default.

(if you already have an ACL applied to the inside interface, then the traffic should be specified to be permitted).

To allow inbound traffic, you should explicitly allow the traffic in the ACL applied to the outside interface.

Federico.

sgalloway · ‎06-30-2010

Hi Federico,

I already have a acl on the outside interface :

access-list inbound_outside permit tcp any host web1-xlate eq www

This rule works fine !!

but going the other way with initiating the connection from the internal web1 ( 172.16.34.208 ) to the outside doesn't work.

E.g l want to http to outside from web1 internally but it doesn't work ???

Any more suggestions !!

Thanks for your prompt reply - much appreciated !!

SG

Federico Coto Fajardo · ‎06-30-2010

The internal 172.16.34.208 can't get out to the Internet?

But you said is reachable from the Internet correct?

Is there an ACL applied to the inside interface? You can check with ''sh run access-group''

The other machines on the inside interface have Internet access as well?

Federico.

sgalloway · ‎06-30-2010

Hi Federico,

all sorted now , for some reason the guys that setup this internal server forgot to put the DNS Server in the IP addressing !!!

Http traffic from this internal server is now Fine !!!

thank you so much for your time Much appreciated

SG

Federico Coto Fajardo · ‎06-30-2010

Glad to hear that :-)

Thank you,

Federico.