cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
712
Views
0
Helpful
5
Replies

Static NAT problem with ZBF

Thiago Cella
Level 1
Level 1

Hi Friends,

 

In this scenario, the trafffic from INSIDE to OUTSIDE is working, but from OUTSIDE to INSIDE isnt working. For example, i created the NAT to 3389 , to external access to RDP, but no sucess.

 

Follow my config, TKS:

 

!
class-map type inspect match-any TRAFFIC
 description TRAFFIC_MATCH
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any OUT-TO-IN
 match access-group name OUT-TO-IN
!
!
policy-map type inspect OUT-TO-IN
 class type inspect OUT-TO-IN
  inspect
 class class-default
  drop
policy-map type inspect TRAFFIC_CLASS
 class type inspect TRAFFIC
  inspect
 class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security TRAF source INSIDE destination OUTSIDE
 service-policy type inspect TRAFFIC_CLASS
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUT-TO-IN
!
!
!
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.248
 ip nat outside
 ip nat enable
 ip virtual-reassembly
 zone-member security OUTSIDE
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.92.251 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 zone-member security INSIDE
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list inside_nat0_outbound interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.92.89 50 1.1.1.2 50 extendable
ip nat inside source static tcp 192.168.92.89 3389 1.1.1.2 3389 extendable
!
ip access-list extended OUT-TO-IN
 permit tcp any host 192.168.92.11 eq 3389
 permit tcp any host 192.168.92.89 eq 3389
 permit tcp any host 1.1.1.2 eq 3389
 permit tcp any host 192.168.92.89 eq 50
 permit tcp any host 1.1.1.2 eq 50
ip access-list extended inside_nat0_outbound
 deny   ip 192.168.92.0 0.0.0.255 10.0.70.0 0.0.0.255
 deny   ip 192.168.93.0 0.0.0.255 10.0.70.0 0.0.0.255
 deny   ip 10.1.10.0 0.0.0.255 10.0.70.0 0.0.0.255
 deny   ip 10.2.1.0 0.0.0.255 10.0.20.0 0.0.0.255
 deny   ip 10.10.10.0 0.0.0.255 192.168.92.0 0.0.0.255
 deny   ip 192.168.92.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip 192.168.92.0 0.0.0.255 any
 permit ip 172.31.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any
!
disable-eadi
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end

 

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

The access-list is checked prior to un-NATting the address. Try with the outside address of your servers in "ip access-list extended OUT-TO-IN".

But the IP is there, look :

 

ip access-list extended OUT-TO-IN
 permit tcp any host 192.168.92.11 eq 3389
 permit tcp any host 192.168.92.89 eq 3389
 permit tcp any host 1.1.1.2 eq 3389
 permit tcp any host 192.168.92.89 eq 50
 permit tcp any host 1.1.1.2 eq 50

I mean the 1.1.1.x public IP address that appears on your outside interface and associated zone.

Sorry i´ve digited wrong blush

The ACL is the follow but dont working yet :

ip access-list extended OUT-TO-IN
 permit tcp any host 192.168.92.11 eq 3389
 permit tcp any host 192.168.92.89 eq 3389
 permit tcp any host 1.1.1.2 eq 3389
 permit tcp any host 192.168.92.89 eq 50
 permit tcp any host 1.1.1.2 eq 50

 

 

Friends, I removed the command ip nat enable and works!!!

 

interface FastEthernet0/0

 ip nat enable
!
interface FastEthernet0/1.1
 ip nat enable
 

But i have another question, I created the DMZ ZONE, everthing works, but the DMZ network can ping the IP 192.168.92.251 ( Interface of the router-Inside Network). But following the config, the DMZ couldnt ping this address, is it correct?

 

zone security DMZ

 

interface FastEthernet0/1.2
 encapsulation dot1Q 2
 ip address 192.168.0.33 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security DMZ

class-map type inspect match-any DMZ-TO-ALL
 match access-group name dmz_out

 

policy-map type inspect DMZ-TO-ALL

 class type inspect DMZ-TO-ALL
  inspect
 class class-default
  drop

zone-pair security DMZ-TO-ALL source DMZ destination OUTSIDE
 service-policy type inspect DMZ-TO-ALL

 

 

ip access-list extended lab_out
 deny   ip 192.168.0.0 0.0.0.255 192.168.92.0 0.0.0.255
  permit ip 192.168.0.0 0.0.0.255 any

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: