cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
anchor
New Contributor III

NAT reflection?

Jump to solution

Hello!

I'm not sure NAT reflection is the correct term... I'm trying to route traffic destined to the public IP (from the internal network) BACK into the internal network.  Port forwarding rules are working great from the outside already... When one goes to the public IP now, they are directed to the login screen for the 3448 GUI.  I'd like to apply my NAT rules to them as well.  Then our traveling workers (90% of us) can use the same public URL for access hosted services whether inside or outside the office.  Make any sense?

I tried to add a NAT rule above the standard ICS rule on the Private security zone:

nat source list web-acl-17 address 24.21.138.209 overload

ip access-list extended web-acl-17

  remark Local Public IP Router In

  permit ip 10.39.69.0 0.0.0.255  hostname <pub fqdn>     log

Any advice?  Is it possible?

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: NAT reflection?

Jump to solution

:

Thank you for asking this question in the support community.  There is a very similar post on this topic that has already been answered.  When you get a chance please review it and let me know if you have any additional questions on the topic.

I hope that makes sense, but please do not hesitate to ask any questions.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
4 Replies
Anonymous
Not applicable

Re: NAT reflection?

Jump to solution

:

Thank you for asking this question in the support community.  There is a very similar post on this topic that has already been answered.  When you get a chance please review it and let me know if you have any additional questions on the topic.

I hope that makes sense, but please do not hesitate to ask any questions.  I will be happy to help in any way I can.

Levi

0 Kudos
anchor
New Contributor III

Re: NAT reflection?

Jump to solution

Thanks for the response Levi!

The DNS is just a pain due to the traveling workers... So there isn't a way to mimic this in IPTables?

iptables -t nat -A PREROUTING -d pub.ip.ad.dr -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr

iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE


I like your idea of giving it a separate address.  Can I just assign another static public IP to eth0/0 and have port forwarding from it to a separate subnet address assigned as an additional address on the host?  Then, since VLAN1 is on 1.1.1.1 and the 'extra' network is on VLAN3 it's public being 1.1.1.2 will the routing work inbetween the two IPs on the same interface?


SO, VLAN1: 10.0.0.0/24 -> eth0/0 (ip 1.1.1.2) to eth0/0 (ip 1.1.1.1) -> 10.1.1.0/24 ? or would it need to be on a separate interface?

Anonymous
Not applicable

Re: NAT reflection?

Jump to solution

dime:

There are several things you'll need to do if you give the server its own IP address and subnet.  It is very similar to example six in the Configuring the Firewall (IPv4) in AOS guide.   Here is a general example of the concept:

interface eth 0/1

  description INTERNET CONNECTION

  ip address 1.1.1.1  255.255.255.252

  ip address 1.1.1.2 255.255.255.255 secondary

  ip access-policy PUBLIC

  no shutdown

!

interface eth 0/2

  description SERVER CONNECTION

  ip address  10.1.1.1  255.255.255.0

  ip access-policy SERVER

  no shutdown

!

interface vlan 1

  description LAN CONNECTION

  ip address 192.168.1.1 255.255.255.0

  ip access-policy PRIVATE

  no shutdown

!

ip access-list extended SERVER

  permit ip any host 1.1.1.2

!

ip policy-class PRIVATE

  allow list ADMIN-ACCESS self

  nat destination list SERVER address 10.1.1.2

  nat source list MATCHALL interface eth 0/1 overload

!

ip policy-class PUBLIC

  allow list ADMIN-ACCESS self

  nat destination list SERVER address 10.1.1.2

!

ip policy-class SERVER

  nat source list MATCHALL interface eth 0/1 overload

I hope that makes sense, but let me know if you have questions.

Levi

anchor
New Contributor III

Re: NAT reflection?

Jump to solution

Thanks Levi, yes that makes sense!