Good Morning,
I've spent a horrendous amount of time on this, and would love some assistance.
I found several discussions on this topic, but no one actually seemed to post an answer.
All help appreciated.
I have a public set of IP's
I want one IP to be used for One to Many NAT
And then I have several machines on the inside, that I want addressable via One to One NAT.
I can't seem to get this to work.
No matter what I do, the Many to One seems to work, on all of the machines, including the ones I want to have use to one to one.
help!
Good Morning.
It took a wee bit more tweaking, but yes, your answer definitely led to success!
Below are the relevant portions that I used. Hoping it saves someone some time in the future.
!
ip subnet-zero
ip classless
ip routing
!
!
no auto-config
!
!
interface eth 0/1
description Internal Connection
ip address 172.16.3.5 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface eth 0/2
description External Connection
ip address xx.yy.186.2 255.255.255.192
ip address range xx.yy.186.3 xx.yy.186.5 255.255.255.192 secondary
ip access-policy Public
no rtp quality-monitoring
no shutdown
!
!
!
!
interface t1 1/1
description Not used
shutdown
!
interface ppp 1
shutdown
!
!
!
router rip
passive-interface eth 0/1
passive-interface eth 0/2
!
!
ip access-list extended ALL
! Implicit permit (only for empty ACLs)
!
ip access-list extended AdminAccess
remark AdminAccess Access List
permit ip host aa.bb.198.84 any log
permit tcp host aa.bb.198.84 any eq telnet log
permit tcp host aa.bb.198.84 any eq https log
permit tcp host aa.bb.198.84 any eq ssh log
permit ip cc.dd.7.0 0.0.0.255 any log
!
ip access-list extended LAN011
permit ip host 172.16.3.11 any
!
ip access-list extended LAN012
permit ip host 172.16.3.12 any
!
ip access-list extended LAN014
permit ip host 172.16.3.14 any
!
ip access-list extended LAN172.outbound
remark 172.outbound Net Allow Outbound
permit ip 172.16.3.0 0.0.0.255 any
!
ip access-list extended linuxip-acl
! Implicit permit (only for empty ACLs)
!
ip access-list extended NATALL
permit ip 172.16.3.0 0.0.0.255 any
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended WAN003
permit tcp any host xx.yy.186.3 eq domain log
permit udp any host xx.yy.186.3 eq domain log
permit tcp any host xx.yy.186.3 eq www log
permit tcp any host xx.yy.186.3 eq https log
permit tcp any host xx.yy.186.3 eq 220 log
permit tcp any host xx.yy.186.3 eq 143 log
permit tcp any host xx.yy.186.3 eq pop3 log
permit tcp any host xx.yy.186.3 eq smtp log
permit tcp any host xx.yy.186.3 eq ftp-data log
permit tcp any host xx.yy.186.3 eq ftp log
permit tcp host aa.bb.198.84 host xx.yy.186.3 eq 3389 log
permit tcp cc.dd.7.0 0.0.0.255 host xx.yy.186.3 eq 3389 log
!
ip access-list extended WAN004
permit tcp any host xx.yy.186.4 eq domain log
permit udp any host xx.yy.186.4 eq domain log
permit tcp any host xx.yy.186.4 eq ssh log
permit udp any host xx.yy.186.4 eq tftp log
permit tcp any host xx.yy.186.4 eq 989 log
permit tcp any host xx.yy.186.4 eq 990 log
permit tcp any host xx.yy.186.4 eq www log
permit tcp any host xx.yy.186.4 eq https log
permit tcp host aa.bb.198.84 host xx.yy.186.4 eq 3389 log
permit tcp cc.dd.7.0 0.0.0.255 host xx.yy.186.4 eq 3389 log
!
ip access-list extended WAN005
permit tcp any host xx.yy.186.5 eq domain log
permit udp any host xx.yy.186.5 eq domain log
permit tcp any host xx.yy.186.5 eq ssh log
permit udp any host xx.yy.186.5 eq tftp log
permit tcp any host xx.yy.186.5 eq 989 log
permit tcp any host xx.yy.186.5 eq 990 log
permit tcp any host xx.yy.186.5 eq www log
permit tcp any host xx.yy.186.5 eq https log
permit tcp host aa.bb.198.84 host xx.yy.186.5 eq 3389 log
permit tcp cc.dd.7.0 0.0.0.255 host xx.yy.186.5 eq 3389 log
!
!
!
ip policy-class Private
nat source list LAN011 address xx.yy.186.4 overload
nat source list LAN012 address xx.yy.186.5 overload
nat source list LAN014 address xx.yy.186.3 overload
nat source list NATALL interface eth 0/2 overload
allow list LAN172.outbound stateless
allow list ALL self
!
ip policy-class Public
nat destination list WAN003 address 172.16.3.14
nat destination list WAN004 address 172.16.3.11
nat destination list WAN005 address 172.16.3.12
allow list AdminAccess
!
!
!
ip route 0.0.0.0 0.0.0.0 xx.yy.186.1
!
!
@jkerr - Thanks for posting your question on the forum. After taking a look at your configuration, I think I see the issue you are running into and would like to make a couple of suggestions.
The 'Public' policy-class is configured correctly. However, the 'Private' policy-class needs a couple of modifications.
- First, the rule "allow list 172.outbound stateless" is currently placed above your NAT statements. This is problematic as this rule is matching all traffic sourced from your LAN (172.16.3.x) and allowing it through. The AOS firewall matches traffic in a top-down fashion so once a packet matches a rule, it will not check any rules further below it. This rule needs to be below your NAT statements.
- The ACLs LAN14, LAN11, LAN12, and LAN31 need the same modifications made. The ACLs reference destination traffic instead of source traffic. For example, the ACL LAN14 is currently configured as such:
ip access-list extended LAN14
permit ip any host 172.16.3.14
This matches traffic destined for 172.16.3.14. This rule actually needs to match traffic sourced from 172.16.3.14. So the ACL should look like this:
ip access-list extended LAN14
permit ip host 172.16.3.14 any
Once these changes have been made, your 1:1 NAT as well as your Many:1 NAT should all work. Let us know if you have any further questions or issues regarding this.
Thanks,
Noor
Thank you Noor,
I will give these a shot tonight!
I did wonder as well about the order of things.
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Thanks,
Noor
Good Morning.
It took a wee bit more tweaking, but yes, your answer definitely led to success!
Below are the relevant portions that I used. Hoping it saves someone some time in the future.
!
ip subnet-zero
ip classless
ip routing
!
!
no auto-config
!
!
interface eth 0/1
description Internal Connection
ip address 172.16.3.5 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface eth 0/2
description External Connection
ip address xx.yy.186.2 255.255.255.192
ip address range xx.yy.186.3 xx.yy.186.5 255.255.255.192 secondary
ip access-policy Public
no rtp quality-monitoring
no shutdown
!
!
!
!
interface t1 1/1
description Not used
shutdown
!
interface ppp 1
shutdown
!
!
!
router rip
passive-interface eth 0/1
passive-interface eth 0/2
!
!
ip access-list extended ALL
! Implicit permit (only for empty ACLs)
!
ip access-list extended AdminAccess
remark AdminAccess Access List
permit ip host aa.bb.198.84 any log
permit tcp host aa.bb.198.84 any eq telnet log
permit tcp host aa.bb.198.84 any eq https log
permit tcp host aa.bb.198.84 any eq ssh log
permit ip cc.dd.7.0 0.0.0.255 any log
!
ip access-list extended LAN011
permit ip host 172.16.3.11 any
!
ip access-list extended LAN012
permit ip host 172.16.3.12 any
!
ip access-list extended LAN014
permit ip host 172.16.3.14 any
!
ip access-list extended LAN172.outbound
remark 172.outbound Net Allow Outbound
permit ip 172.16.3.0 0.0.0.255 any
!
ip access-list extended linuxip-acl
! Implicit permit (only for empty ACLs)
!
ip access-list extended NATALL
permit ip 172.16.3.0 0.0.0.255 any
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended WAN003
permit tcp any host xx.yy.186.3 eq domain log
permit udp any host xx.yy.186.3 eq domain log
permit tcp any host xx.yy.186.3 eq www log
permit tcp any host xx.yy.186.3 eq https log
permit tcp any host xx.yy.186.3 eq 220 log
permit tcp any host xx.yy.186.3 eq 143 log
permit tcp any host xx.yy.186.3 eq pop3 log
permit tcp any host xx.yy.186.3 eq smtp log
permit tcp any host xx.yy.186.3 eq ftp-data log
permit tcp any host xx.yy.186.3 eq ftp log
permit tcp host aa.bb.198.84 host xx.yy.186.3 eq 3389 log
permit tcp cc.dd.7.0 0.0.0.255 host xx.yy.186.3 eq 3389 log
!
ip access-list extended WAN004
permit tcp any host xx.yy.186.4 eq domain log
permit udp any host xx.yy.186.4 eq domain log
permit tcp any host xx.yy.186.4 eq ssh log
permit udp any host xx.yy.186.4 eq tftp log
permit tcp any host xx.yy.186.4 eq 989 log
permit tcp any host xx.yy.186.4 eq 990 log
permit tcp any host xx.yy.186.4 eq www log
permit tcp any host xx.yy.186.4 eq https log
permit tcp host aa.bb.198.84 host xx.yy.186.4 eq 3389 log
permit tcp cc.dd.7.0 0.0.0.255 host xx.yy.186.4 eq 3389 log
!
ip access-list extended WAN005
permit tcp any host xx.yy.186.5 eq domain log
permit udp any host xx.yy.186.5 eq domain log
permit tcp any host xx.yy.186.5 eq ssh log
permit udp any host xx.yy.186.5 eq tftp log
permit tcp any host xx.yy.186.5 eq 989 log
permit tcp any host xx.yy.186.5 eq 990 log
permit tcp any host xx.yy.186.5 eq www log
permit tcp any host xx.yy.186.5 eq https log
permit tcp host aa.bb.198.84 host xx.yy.186.5 eq 3389 log
permit tcp cc.dd.7.0 0.0.0.255 host xx.yy.186.5 eq 3389 log
!
!
!
ip policy-class Private
nat source list LAN011 address xx.yy.186.4 overload
nat source list LAN012 address xx.yy.186.5 overload
nat source list LAN014 address xx.yy.186.3 overload
nat source list NATALL interface eth 0/2 overload
allow list LAN172.outbound stateless
allow list ALL self
!
ip policy-class Public
nat destination list WAN003 address 172.16.3.14
nat destination list WAN004 address 172.16.3.11
nat destination list WAN005 address 172.16.3.12
allow list AdminAccess
!
!
!
ip route 0.0.0.0 0.0.0.0 xx.yy.186.1
!
!