Natting to ip address which is not binded to any interface

Reply
Highlighted
L1 Bithead

Natting to ip address which is not binded to any interface

Hello Everyone,

I want to nat traffic going from dmz zone to wan zone. I want to nat ip (172.16.16.16&172.16.17.17-dmz zone) to use nat ip 200.0.0.1 which is not configured to any interface. I am unable to perform this. Please find below snap.

1)Interface IP addresses.

nitesharbale_0-1583322314964.png

2)NAT rule

nitesharbale_1-1583322411216.png

3)Security Policy

nitesharbale_2-1583322611401.png

 

4)Topology

nitesharbale_0-1583322960961.png

 

On R2 when i debug ip address i can see 200.0.0.1 ip but from R3 i cannot telnet

Please let me know what am i missing ?

 

Highlighted
L6 Presenter

@nitesharbaleWhat are you seeing under traffic logs? It is matching security policy and NAT, also is traffic going on correct WAN interface?

 

Where both these subnet resides as DMZ subnet configured on firewall is 172.16.1.0/24 and below server IP belongs to different subnets?

 

Do you have reverse routes on firewall for IPs 172.16.16.16&172.16.17.17 ?

 

Mayur



Mayur
Highlighted
L1 Bithead

Hi Mayur,

Please find the answers below. Let me know if anything else required

 

Q1)What are you seeing under traffic logs? It is matching security policy and NAT, also is traffic going on correct WAN interface?

Ans  i cannot see traffic logs. i think i requires license. There is single WAN interface which is connected to R2. Security policy and nat rule are in snap posted earlier.

 

2)Where both these subnet resides as DMZ subnet configured on firewall is 172.16.1.0/24 and below server IP belongs to different subnets?

172.16.1.2/24--R3 interface ip connected to PA , (172.16.16.16/32, 172.16.17.17/32---R3 loopback) . All are in same zone i.e DMZ

 

3)Do you have reverse routes on firewall for IPs 172.16.16.16&172.16.17.17 ?

nitesharbale_0-1583330973400.png

 

Highlighted
L6 Presenter

@nitesharbalePlease verify traffic using test command and see if matching correct Security policy, NAT and Route.

 

Mayur



Mayur
Highlighted
Cyber Elite

Hello,

This is possible as long as the PAN knows where to route the traffic. I didnt review the config, but as stated, check the logs and see where/if the policies are getting applied and or traffic getting blocked.

 

Regards,

Highlighted
L4 Transporter

If you are doing a source NAT with an address of 200.0.0.1, but this is not the subnet between your firewall and WAN router (R2).  How are you going to get a reply back from R2 like this?

Highlighted
L4 Transporter

Do you have a route on R2 pointing back to the PAN with this address?  Also, since the IP has no interface associated with it you may have to put in what I call a "ghost route" to make sure your zones align properly.  Add a route with an interface value and next hop value of "none" to assign the proper zone.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!