Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static Nat

Hi,

ISP--R1--Firewall--R2--R3--Pc(webserver)

ISP is terminated in the R1 router.To provide internet for users, Dynamic NATing are given in the rotuer(R1) level itself.R1 F0 ip is primary public ip and Secondary ip is private ip which is terminated in the Firewall interface(Private ip)..Now i need to privide Static Nat for my webserver.Is it possible to do it in Firewall..I think we can't....i have to do only in the router..

17 REPLIES
Cisco Employee

Re: Static Nat

well the public ip address would be translated on router to firewall interface ip/or any other free ip from that pool and then on firewall we need

static (inside,outside) tcp interface/ip 80 80

access-l abc permit tcp any host interface eq 80

access-g abc in interface outside

New Member

Re: Static Nat

Hi,

Always u r response very helpfull for me.Thanks again and again.So As per my senario i require 2 public ip's to do Nat in firewall(1 firewall interface and 1 for Static Nat)..But i have one free ip only..So i did Static Nat in router level itself..Let me explain my problem

My firewall is in Data center(DC)..Webserver is in branch as i said in the diagram.If i place in the webserver in DC i can access from outside..but if i place the webserver in branch(R3 router) i m unable to access from outside(getting connections in firewall(saAB))..I think some routing issue..As per current setup we have route in router to connect DC network.I think we have to add route in router like the request from internet need to go to outside(Kindly let me know the route)..Provide me ur valuable information

New Member

Re: Static Nat

Hi,

Kindly provide me solution as soon.

Cisco Employee

Re: Static Nat

you don't need 2 free IPs..you can do static PAT using firewalls outside IP

New Member

Re: Static Nat

Thanks..As per now i can't change interface ip of firewall.so i did already in router..but unable to access from outside..some routing issues are there still..Can u plz help me out..

Cisco Employee

Re: Static Nat

to what ip address is router translating the request to ?

Give me the sh run static/sh static output, sh run access-group

New Member

Re: Static Nat

Hi,

Pix Fw(535)--3 interface(inside, outside, branch)

3 Routers(R1,R2 and R3)

Webserver--in brach(R3)

In beteween R2 and R3---OSPF--Is there anything need to add?

R1--NAT, PAT and routes( Default towards Serial int, Network based towards Firewall Int)

Pix--(Acl from out to in, Default route towards outside, network routes towards branch and inside, nonat for translation in higher Security interface)

If i access from outside to webserver i m finding conn in firewall( conn status : saAB)..Even i m finding the outsid world ip in my webserver log also..Some return traffic flow is not happening..

New Member

Re: Static Nat

Hi,

In R1

#sh run | incl static

Ip nat outside static 172.x.x.x 203.x.x.x

Rest of the things unable to do.

Cisco Employee

Re: Static Nat

Suresh..as a test allow icmp through the firewall and ping the web server, also can you ping the webserver from the firewall..?

Can you tell me the real ip address of the web server ? if possible post your config here

New Member

Re: Static Nat

Hi,

Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..

TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB

TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB

TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB

I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....

New Member

Re: Static Nat

Hi,

kindly ignore the previous post..attachment is not there

Thanks u very much..Kindly find the attached file..In my client place i m taking care only Pix..rest of the router parts all taking care by other vendor..Static Nat is in router level..let me know the router level routes and verify the PIX config also..If i try to access from outside i m finding conn status(saAB)..

TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB

TCP out 123.176.41.235:4580 in 172.24.248.178:443 idle 0:00:43 Bytes 0 flags SaAB

TCP out 123.176.41.235:4581 in 172.24.248.178:443 idle 0:00:14 Bytes 0 flags SaAB

I m finding the public ip(123.176.41.235) in websever log also..I think return traffic is not flowing.....

Attachment Keywords :

Cisco Employee

Re: Static Nat

config looks good...are we able to ping the webserver from the firewall ?

can you get me sh ip route from both r2 and r3 ?

New Member

Re: Static Nat

Hi,

Unable to ping the webserver from firewall..

But i can ping R3 router from R1 and from R1 to R3...

Kindly find the atached file R2 ad R3...In R3 no static routes..as i said before OSPF..

Cisco Employee

Re: Static Nat

from webserver can you ping R1..?

run debug icmp trace on firewall while you initiate a ping from webserver to R1 and 4.2.2.2 simultaneously

New Member

Re: Static Nat

Hi,

Yes..I can...Is there any issues with the routes in router R1 and R2..

Cisco Employee

Re: Static Nat

hey Suresh..the connection detail TCP out 123.176.41.235:4579 in 172.24.248.178:443 idle 0:01:14 Bytes 0 flags SaAB, clearly indicate that there was no return synack on the firewall back from web server, so either the issue is on WEBSERVER or R2 or R2

Now from WEBserver are you able to ping 4.2.2.2 through the firewall ? do you see these ICMPs request and replies in debug icmp trace ?

I don't see a DG on R2..??how would R2 know where to send the return packet ...

New Member

Re: Static Nat

Hi,

After once added route in R2..we got the connectivity...Thanks for ur support..

154
Views
4
Helpful
17
Replies