One-to-One NAT - DMZ to inside - how do I make it work?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

One-to-One NAT - DMZ to inside - how do I make it work?

L4 Transporter

Folks.

I'm apparently having a particularly stupid day, because I can;t make something as simple as one-to-one NAT work.

Scenario is this.

I have an IP in my DMZ. I have assigned this IP to a particular server which is hosted on my INSIDE (secure) network.

All I want to do is take this IP address and NAT it to the inside address. Something like this

IP addresses have been changed to protect the stupid (me!).

So - request comes in from the web to 1.2.3.91, and I want to redirect it to 10.100.1.120 - only needs web browsing and PING.

but I can not, for the life of me, get it right.

I've got the following NAT rule

Original packet

Source Zone - Outside

Destination Zone - DMZ

Source Address - Any

Destination Address - 1.2.3.91

Translated Packet

Source Translation : None

Destination translation : 10.100.1.120

The security policy is as follows

Source : Outside

Source Address : Any

Destination : Inside

Destination Address : 10.100.1.120

I'm happy for anyone to point out where I'm being stupid and laugh at me - I know it's something obvious, but I'm banging my head trying to sort out what.

thanks

18 REPLIES 18

Hello Darren,

Please try below mentioned CLI command and share the O/P.

admin@62-PA> test security-policy-match from <source zone>  source <IP address> destination <IP/MASK> protocol YY destination-port XX

admin@62-PA> test nat-policy-match source <IP public address> destination <IP address> protocol YY destination-port XX

Thanks

HULK wrote:

Hello Darren,

Please try below mentioned CLI command and share the O/P.

admin@62-PA> test security-policy-match from <source zone>  source <IP address> destination <IP/MASK> protocol YY destination-port XX

admin@62-PA> test nat-policy-match source <IP public address> destination <IP address> protocol YY destination-port XX

Thanks

first one (I've replaced the actual outside address)

darren@Ai-Gate(active)> test security-policy-match from outside source 110.142.210.164 destination 1.2.3.91/32 protocol 1

Confluence-Outside-in {

        from outside;

        source any;

        source-region none;

        to inside;

        destination 1.2.3.91;

        destination-region none;

        user any;

        category any;

        application/service [ icmp/icmp/any/any web-browsing/tcp/any/80 ping/icmp/any/any ];

        action allow;

        terminal yes;

}

Second one

darren@Ai-Gate(active)> test nat-policy-match source 110.142.210.164 destination 1.2.3.91 protocol 1

Destination-NAT: Rule matched: Inbound NAT Confluence

1.2.3.91:0 => 10.100.1.120:0

darren@Ai-Gate(active)>

I can't see a problem with either one, yet I can't PING the damn thing from the outside! I've definitively confirmed the host is online, has no local firewall running, and has a route to the internet. The NAT rule for this incoming is placed "above" my general-purpose NAT rules, so it should be processed first.

I am now officially scratching my head.

Can you add the o/p for following commands to this discussion

>show running nat-policy


>show routing route


Also start a continuous ping to the DMZ public IP and monitor the session table:


>show session all filter source <ip>


if you see any PING  sessions displayed add the following o/p with this discussion


>show session <id>

akawimandan wrote:

Can you add the o/p for following commands to this discussion

>show running nat-policy


>show routing route


Also start a continuous ping to the DMZ public IP and monitor the session table:


>show session all filter source <ip>


if you see any PING  sessions displayed add the following o/p with this discussion

>show session <id>

Running nat policy (somewhat obfuscated) - there are other components, but they refer to interfaces which aren't part of this problem.

"Inbound NAT Confluence" {

        from outside;

        source any;

        to outside;

        to-interface  ;

        destination 1.2.3.91;

        service  any/any/any;

        translate-to "dst: 10.100.1.120";

        terminal no;

}

No-NAT-DMZ {

        from inside;

        source any;

        to DMZ;

        to-interface ethernet1/3 ;

        destination any;

        service  any/any/any;

        terminal no;

}

"No-NAT Internet Router" {

        from inside;

        source any;

        to outside;

        to-interface ethernet1/2 ;

        destination 1.2.3.2;

        service  any/any/any;

        terminal no;

}

No-NAT-inbound-DMZ {

        from outside;

        source any;

        to DMZ;

        to-interface ethernet1/3 ;

        destination any;

        service  any/any/any;

        terminal no;

}

"Outbound Nat" {

        from inside;

        source any;

        to outside;

        to-interface  ;

        destination any;

        service  any/any/any;

        translate-to "src: ethernet1/2 1.2.3.1 (dynamic-ip-and-port) (pool idx: 1)";

        terminal no;

}

Some explanation - I have a /24 available on my router/firewall. 1.2.3.0/30 is used as a point-to-point link between my edge router running BGP and my firewall (1.2.3.1/30 is the firewall's "outside" interface)

My DMZ is 1.2.3.64/26, with 1.2.3.91 being one IP inside that range - the firewaall has 1.2.3.126 on the layer 3 interface for the DMZ.

Routing table (again, somewhat obfuscated)

VIRTUAL ROUTER: default (id 1)

  ==========

destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   1.2.3.2                            10     A S              ethernet1/2

10.0.243.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.0.244.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.0.250.8/29                               0.0.0.0                                 10     A S              tunnel.5

10.0.250.16/29                              0.0.0.0                                 10     A S              tunnel.4

10.0.250.24/29                              0.0.0.0                                 10     A S              tunnel.6

10.0.252.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.0.253.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.0.254.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.10.0.0/24                                10.10.0.0                               10     A S              tunnel

10.10.1.0/24                                0.0.0.0                                 10     A S              tunnel.3

10.50.0.0/24                                10.100.100.250                          10     A S              ethernet1/1

10.50.1.0/24                                10.100.100.250                          10     A S              ethernet1/1

10.50.10.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.50.12.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.50.13.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.50.14.0/23                               10.100.100.250                          10     A S              ethernet1/1

10.50.16.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.50.17.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.50.50.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.100.1.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.100.2.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.100.3.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.100.4.0/24                               10.100.100.250                          10     A S              ethernet1/1

10.100.5.0/24                               10.100.5.254                            0      A C              ethernet1/4

10.100.5.254/32                             0.0.0.0                                 0      A H

10.100.100.248/30                           10.100.100.249                          0      A C              ethernet1/1

10.100.100.249/32                           0.0.0.0                                 0      A H

172.20.12.0/24                              10.100.100.250                          10     A S              ethernet1/1

192.9.200.0/24                              0.0.0.0                                 10     A S              tunnel.3

1.2.3.0/30                             1.2.3.1                            0      A C              ethernet1/2

1.2.3.1/32                             0.0.0.0                                 0      A H

1,2,3.64/26                            1.2.3.126                          0      A C              ethernet1/3

1.2.3.126/32                           0.0.0.0                                 0      A H

total routes shown: 34

I'm not seeing any sessions in the session table at all with a continuous PING running from an outside address to the host in question, but I *do* see sessions if I run one to another host in the DMZ, so I'm pretty sure the routing is right.

  • 5100 Views
  • 18 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!