Support
Community

anchor · ‎02-15-2013

Hello!

I'm not sure NAT reflection is the correct term... I'm trying to route traffic destined to the public IP (from the internal network) BACK into the internal network. Port forwarding rules are working great from the outside already... When one goes to the public IP now, they are directed to the login screen for the 3448 GUI. I'd like to apply my NAT rules to them as well. Then our traveling workers (90% of us) can use the same public URL for access hosted services whether inside or outside the office. Make any sense?

I tried to add a NAT rule above the standard ICS rule on the Private security zone:

nat source list web-acl-17 address 24.21.138.209 overload

ip access-list extended web-acl-17

remark Local Public IP Router In

permit ip 10.39.69.0 0.0.0.255 hostname <pub fqdn> log

Any advice? Is it possible?

Anonymous · ‎02-18-2013

:

Thank you for asking this question in the support community. There is a very similar post on this topic that has already been answered. When you get a chance please review it and let me know if you have any additional questions on the topic.

I hope that makes sense, but please do not hesitate to ask any questions. I will be happy to help in any way I can.

Levi

View solution in original post

Anonymous · ‎02-18-2013

:

Thank you for asking this question in the support community. There is a very similar post on this topic that has already been answered. When you get a chance please review it and let me know if you have any additional questions on the topic.

I hope that makes sense, but please do not hesitate to ask any questions. I will be happy to help in any way I can.

Levi

anchor · ‎02-18-2013

Thanks for the response Levi!

The DNS is just a pain due to the traveling workers... So there isn't a way to mimic this in IPTables?

iptables -t nat -A PREROUTING -d pub.ip.ad.dr -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr

iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE

I like your idea of giving it a separate address. Can I just assign another static public IP to eth0/0 and have port forwarding from it to a separate subnet address assigned as an additional address on the host? Then, since VLAN1 is on 1.1.1.1 and the 'extra' network is on VLAN3 it's public being 1.1.1.2 will the routing work inbetween the two IPs on the same interface?

SO, VLAN1: 10.0.0.0/24 -> eth0/0 (ip 1.1.1.2) to eth0/0 (ip 1.1.1.1) -> 10.1.1.0/24 ? or would it need to be on a separate interface?

Anonymous · ‎02-18-2013

dime:

There are several things you'll need to do if you give the server its own IP address and subnet. It is very similar to example six in the Configuring the Firewall (IPv4) in AOS guide. Here is a general example of the concept:

interface eth 0/1

description INTERNET CONNECTION

ip address 1.1.1.1 255.255.255.252

ip address 1.1.1.2 255.255.255.255 secondary

ip access-policy PUBLIC

no shutdown

!

interface eth 0/2

description SERVER CONNECTION

ip address 10.1.1.1 255.255.255.0

ip access-policy SERVER

no shutdown

!

interface vlan 1

description LAN CONNECTION

ip address 192.168.1.1 255.255.255.0

ip access-policy PRIVATE

no shutdown

!

ip access-list extended SERVER

permit ip any host 1.1.1.2

!

ip policy-class PRIVATE

allow list ADMIN-ACCESS self

nat destination list SERVER address 10.1.1.2

nat source list MATCHALL interface eth 0/1 overload

!

ip policy-class PUBLIC

allow list ADMIN-ACCESS self

nat destination list SERVER address 10.1.1.2

!

ip policy-class SERVER

nat source list MATCHALL interface eth 0/1 overload

I hope that makes sense, but let me know if you have questions.

Levi

anchor · ‎02-18-2013

Thanks Levi, yes that makes sense!

Support
Community

NAT reflection?

Firewall

Routing

Re: NAT reflection?

Re: NAT reflection?

Re: NAT reflection?

Re: NAT reflection?

Re: NAT reflection?

SupportCommunity

NAT reflection?

Firewall

Routing

Re: NAT reflection?

Re: NAT reflection?

Re: NAT reflection?

Re: NAT reflection?

Re: NAT reflection?

Support
Community