01-12-2009 12:08 PM - edited 03-04-2019 03:26 AM
I have two offices in different cities. I'm trying to use an external IP address from an Internet circuit in city A to connect to a website hosted on a server in city B. City A and city B are connected through a P2P T1 WAN line and they are on different subnets.
I have set up the static NAT translation on the firewall in city A to point to the correct IP of the website in city B, and added the IP to my access-list for port 80 access.
When I try to access the site by external IP it times out but I see the access-list statement increment so I know it's being activated. I can open the website internally from either city. I can also ping from the firewall in city A to the website in city B successfully. Is there any way for me to get this to work?
01-12-2009 03:46 PM
I understand that this may sound trivial, but have you tried to add the reverse in the acl for traffic back from city b?
for instance
permit tcp 10.10.10.0 0.0.0.255 host 63.10.10.10 eq 80
permit tcp host 63.10.10.10 10.10.10.0 0.0.0.255 eq 80
I am not saying this will work but I have had to do this in the past.
01-13-2009 08:47 AM
Thanks for the reply but it didn't help.
01-13-2009 09:01 AM
have you done any debugs to see what is being sent and coming back?
01-13-2009 09:03 AM
I'm a bit embarrassed to say I'm not sure how to do that. I tried viewing the real time log in the ASDM but it didn't give me any useful information.
01-13-2009 09:11 AM
no need to be embarrassed, this is the point of the forums to help each other along. There are a lot of smart people on here willing to assist.
I am one of the new guys still learning.
Try this:
ping (remote ip)
then
debug ip packet detail
This will give you a lot of info so you will need to look through the logs. You are looking to see if the icmp made it out and what is responding back, if anything. This will help narrow down which side, or what part of the acl is having the issue.
******DON'T FORGET to do undebug all before you check your logs!!!!!
01-13-2009 10:13 AM
That command doesn't seem to work on the firewall, I think it is just a router command.
01-13-2009 10:19 AM
you are correct. I am sorry I missed that part. Let me get on my firewall and get you the command.
01-13-2009 10:21 AM
here is a link to check out in the meantime.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1059143
01-13-2009 10:22 AM
try debug icmp trace
then make sure to undebug all
01-13-2009 12:10 PM
If is no trouble could you provide the following
1) The two devices A and B (routers PIX Asa appliances etc..)
2) The ACL you created and the actual nat translation. Thanks
So you are essentially using static nat to xlate the redirected outside ip address srcd from Site to outside interface of the PIX, then redirecting that to an inside address on Site B correct.
Also remeber the order of operation with NAT, and PAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide