NetVanta 3120 R10.9.5.E, using the GUI.
Hello again experts - here's another brainteaser I need you help with. I have two 'private' security zones, and need to connect from one to the other using a public IP address. I'm trying to route traffic from the default private network, out to one of my public IP address, and back in to a second private network.
I have laptop users that connect from either the Private LAN #1 or from other locations. Their application program has one field for the address of the license server. The goal is to populate the application with the public IP address, and allow connections from both sides of the firewall.
*** From the outside the building using the public ip address (this works great)
Laptop connects to public IP 188.8.131.52, port forwards to the license server in Private LAN #2 at 192.168.22.100
*** From the Private 1 LAN using the private IP address (this works great, but I have to change to the private IP address)
Laptop connects from Private LAN #1 to Private LAN #2 at 192.168.22.100.
*** Connect fails from the Private 1 LAN to the Private 2 LAN when using the public IP address
Laptop tries to connect to public IP 184.108.40.206 - fails.
ip policy-class Public (this is my Lan #1)
allow list web-acl-21 policy Public
ip policy-class Public
nat destination list web-acl-15 address 192.168.22.100
ip policy-class "Private outside DOM" (this is my LAN #2)
nat source list web-acl-17 address 220.127.116.11 overload
Thanks for your help,
Thanks for posting your question on the forum!
I think I see what may be the issue with LAN#2 reaching the server on LAN#1. The nat rule should be a destination NAT and not a source NAT since we need to send the traffic to the server on your Private LAN. However, we need to match traffic destined for the public IP that is used for the license server. Since I don't know what "web-acl-17" looks like, I'll go ahead and post what the syntax should look like for it as well.
ip access-list extended web-acl-17
permit ip any host 18.104.22.168
ip policy-class "Private outside DOM"
nat destination list web-acl-17 address 22.214.171.124
I would also note that web-acl-17 will NAT all traffic destined for 126.96.36.199. You can modify this ACL so that it only NATs certain ports as opposed to all IP traffic.
Workarounds for hairpin applications can also be found here: Re: Hairpin Prevention
Please do not hesitate to let us know if you have any questions or issues.
Thanks Noor! I had to abandon this configuration project in February. My solution was to move the license server PC to another location. Now everybody accesses it from the public internet zone. I'll save 'hairpin' configurations for another day.