4 Replies Latest reply on Feb 18, 2013 1:46 PM by dime

    NAT reflection?

    dime New Member

      Hello!

       

      I'm not sure NAT reflection is the correct term... I'm trying to route traffic destined to the public IP (from the internal network) BACK into the internal network.  Port forwarding rules are working great from the outside already... When one goes to the public IP now, they are directed to the login screen for the 3448 GUI.  I'd like to apply my NAT rules to them as well.  Then our traveling workers (90% of us) can use the same public URL for access hosted services whether inside or outside the office.  Make any sense?

       

      I tried to add a NAT rule above the standard ICS rule on the Private security zone:

      nat source list web-acl-17 address 24.21.138.209 overload

       

      ip access-list extended web-acl-17

        remark Local Public IP Router In

        permit ip 10.39.69.0 0.0.0.255  hostname <pub fqdn>     log

       

      Any advice?  Is it possible?

        • Re: NAT reflection?
          levi Employee

          dime:

           

          Thank you for asking this question in the support community.  There is a very similar post on this topic that has already been answered.  When you get a chance please review it and let me know if you have any additional questions on the topic.

           

          Re: Hairpin Prevention

           

          I hope that makes sense, but please do not hesitate to ask any questions.  I will be happy to help in any way I can.

           

          Levi

            • Re: NAT reflection?
              dime New Member

              Thanks for the response Levi!

               

              The DNS is just a pain due to the traveling workers... So there isn't a way to mimic this in IPTables?

              iptables -t nat -A PREROUTING -d pub.ip.ad.dr -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr

              iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE


              I like your idea of giving it a separate address.  Can I just assign another static public IP to eth0/0 and have port forwarding from it to a separate subnet address assigned as an additional address on the host?  Then, since VLAN1 is on 1.1.1.1 and the 'extra' network is on VLAN3 it's public being 1.1.1.2 will the routing work inbetween the two IPs on the same interface?


              SO, VLAN1: 10.0.0.0/24 -> eth0/0 (ip 1.1.1.2) to eth0/0 (ip 1.1.1.1) -> 10.1.1.0/24 ? or would it need to be on a separate interface?

                • Re: NAT reflection?
                  levi Employee

                  dime:

                   

                  There are several things you'll need to do if you give the server its own IP address and subnet.  It is very similar to example six in the Configuring the Firewall (IPv4) in AOS guide.   Here is a general example of the concept:

                   

                  interface eth 0/1

                    description INTERNET CONNECTION

                    ip address 1.1.1.1  255.255.255.252

                    ip address 1.1.1.2 255.255.255.255 secondary

                    ip access-policy PUBLIC

                    no shutdown

                  !

                  interface eth 0/2

                    description SERVER CONNECTION

                    ip address  10.1.1.1  255.255.255.0

                    ip access-policy SERVER

                    no shutdown

                  !

                  interface vlan 1

                    description LAN CONNECTION

                    ip address 192.168.1.1 255.255.255.0

                    ip access-policy PRIVATE

                    no shutdown

                  !

                  ip access-list extended SERVER

                    permit ip any host 1.1.1.2

                  !

                  ip policy-class PRIVATE

                    allow list ADMIN-ACCESS self

                    nat destination list SERVER address 10.1.1.2

                    nat source list MATCHALL interface eth 0/1 overload

                  !

                  ip policy-class PUBLIC

                    allow list ADMIN-ACCESS self

                    nat destination list SERVER address 10.1.1.2

                  !

                  ip policy-class SERVER

                    nat source list MATCHALL interface eth 0/1 overload

                   

                  I hope that makes sense, but let me know if you have questions.

                   

                  Levi