Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two firewalls static translation to one server return path issue

Perhaps someone could help me with a policy nat issue

Routing to default gateway when the traffic cam from a different firewall

My configuration is

ISP1 -- -->   FW1   -- -->  RTR1 -- --> L3 SWITCH <-- -- -- -- -- -- --> SERVER1

                                                             |

                                                             |

ISP2 -- -->   FW2  -- -- -- -- -- -- -- -- -- -- -->

IP Addresses ( examples )

ISP1 - 212.10.10.0/27

ISP2 - 208.10.10.0/27

FW1 out - 212.10.10.1/24

FW2 out - 208.10.10.10/24

FW1 in - 192.168.0.10/24

FW2 in - 192.168.1.10/24

RTR1 inside   - 192.168.1.11/24

RTR1 outside - 192.168.0.11/24

SERVER 192.168.1.220/24

SWITCH is a layer 3 switch  with multiple VLANS and route-map policies to route between VLANS and choose gateway based on VLAN.


The  router has NAT enable and a translation for 192.168.0.220 --- static  map to --> 192.168.1.220 with a machine in the 192.168.0.x netork I  can view a test web server on 192.168.1.220. Anything outside FW1 cannot  get the web server even with all static and nat command working.

Please coudl someone helpme with this

G

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Two firewalls static translation to one server return path i

Hello,

Please try the following on the FW1 (PIX):

access-list pnat permit ip any host "server private ip"

access-list pnat permit ip any host "server public ip"

global (inside) 1 interface

nat (outside) 1 access-list pnat

If you are mapping the server port to the external IP of the PIX itself,

then,

access-list pnat permit tcp any host "server private ip" eq "port"

access-list pnat permit ip any host "server public ip" eq port

global (inside) 1 interface

nat (outside) 1 access-list pnat

This should nat all incoming requests to the interface IP of the PIX.

Hope this helps.

Regards,

NT

9 REPLIES
New Member

Re: Two firewalls static translation to one server return path i

Dear Glenn,

The first thing which create a doubt in my mind is the gateway on Server, as Rtr, FW2 and Server all in same subnet Switch is basically being transparent.

So now what gateway is configured on Server it will depend on that.

Another thing as per standards usually Server are configured with 2 NIC's so that one NIC can be configured as part of FW1 and another one as part of FW2, so natting becomes easy and also availability of server from both ISP links are easy to achieve.

Probably it's something to do with Server gateway.

HTH.....

Regards,

Mangesh.

New Member

Re: Two firewalls static translation to one server return path i

Mangesh,


Thank you for your reply. The server's gateway is FW2 192.168.1.10/24. To give you a bit more information The ISP2 and FW2 are part of the existing setup and the ISP1 is a link for a new provider that we plan to migrated to. Because there are so many servers that and numerous VHOST configurations on these servers I cannot just do a cut over migration from one ISP to the new ISP. There are around 200 DNS records that have to be moved over to the new range.

I have alos tried using the two NIC's in the servers with no luck so am looking at other options


So the FW1, RTR1 was put in to try and accomplish a gradual migration.

Thank you in advance
Glenn

Silver

Re: Two firewalls static translation to one server return path i

Usually a fault tolerant firewall pair is placed between the Internet router and the data center/campus L3 switch in order to avoid the problem you are describing.  Firewalls use 'stateful inspection' to prevent unsolicited connections from the Internet.  Two separate firewalls will not be aware of each others state; therefore a return packet to a firewall that didn't originate the flow will fail.

In addition to placing the firewalls between the routers and the L3 switch; firewall 'transparent mode' is a good idea  vs. routed mode.

Chris

New Member

Re: Two firewalls static translation to one server return path i

Chris,

That is how our topology will look once we have been able to migrate over to our new IP range / ISP

Cisco Employee

Re: Two firewalls static translation to one server return path i

Hello,

What kind of firewall we are looking at? What will be your default gateway?

The best option for us would be to use destination NAT along with source

NAT. NAT all traffic entering from the internet through the second ISP to

the inside interface IP of the second firewall. This way, the server thinks

that the request is from the second firewall and will send the reply

directly to the second firewall. The second firewall will then translate the

IP back to corresponding internet IP.

Hope this helps.

Regards,

NT

New Member

Re: Two firewalls static translation to one server return path i

Nagaraja,


FW2 is a Cisco ASA 5520 v7.0 and FW1 is a Cisco Pix v6.3.
All the servers gateway is the Layer 3 switch VLAN ipaddress which has a route-map to direct route 0.0.0.0/0 traffic to FW2.

What you suggested is what I am trying to achieve please could you guide me as how to achieve this

Cisco Employee

Re: Two firewalls static translation to one server return path i

Hello,

Please try the following on the FW1 (PIX):

access-list pnat permit ip any host "server private ip"

access-list pnat permit ip any host "server public ip"

global (inside) 1 interface

nat (outside) 1 access-list pnat

If you are mapping the server port to the external IP of the PIX itself,

then,

access-list pnat permit tcp any host "server private ip" eq "port"

access-list pnat permit ip any host "server public ip" eq port

global (inside) 1 interface

nat (outside) 1 access-list pnat

This should nat all incoming requests to the interface IP of the PIX.

Hope this helps.

Regards,

NT

New Member

Re: Two firewalls static translation to one server return path i

Nagaraja,

That did not work for me

Ok my pix looks like so:


access-list in_outbound permit ip 192.168.0.0 255.255.255.0 any
access-list in_outbound permit ip 192.168.1.0 255.255.255.0 any
access-list outside_in permit tcp any host 212.10.10.22 eq 3000
access-list pnat permit ip any host 192.168.1.28
access-list pnat permit ip any host 212.10.10.22

ip address outside 212.10.10.1 255.255.255.224
ip address inside 192.168.0.10 255.255.255.0
global (outside) 1 interface
global (inside) 1 interface
nat (outside) 1 access-list pnat 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) 212.10.10.22 192.168.1.28 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group in_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 212.10.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.0.11 1

The router config is just to route the 192.168.0.1 and192.168.0.0 traffic between one another so basic config of

ip routing

eth0 - 192.168.0.11/24

eth1 - 192.168.1.11/24

ip route 0.0.0.0 0.0.0.0 192.168.0.10

New Member

Re: Two firewalls static translation to one server return path i

Thank you all for your help.

Nagaraja you guided me on the correct path but I had to add a outside option to the nat command to make this work. I think this may be for PIX only

nat (outside) 1 access-list pnat outside

All working now and thank you again

505
Views
0
Helpful
9
Replies