Re: OT: NAT Translation Problem from 'Segun Daini on 2010-03-23 (Ccielab archives 03/2010)

From: 'Segun Daini <segundaini_at_yahoo.com>
Date: Tue, 23 Mar 2010 13:01:05 -0700 (PDT)

The result is normal.

When you initiate an http request from 172.y.x.5, the port on 172.y.x.5 is random and not tcp/80, while the port on the destination is 80. and the xlate entry exists only for 172.y.x.5:80. Same applies to the rest.

On the other way, when you initiate and http request to 192.168.5.126, its matches ur xlate entry for 192.168.5.126:80.

Regards.

________________________________
From: olumayokun fowowe <olumayokun_at_gmail.com>
To: Cisco certification <ccielab_at_groupstudy.com>
Sent: Tue, March 23, 2010 11:06:05 AM
Subject: OT: NAT Translation Problem

Hello All,

I have the scenario below:

------inside(172.y.x.0/24)----------FW----------outside----------R1------------

on the firewall, I have the following configuration:

FW
====
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.10.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.10.13 3

static (inside,outside) tcp 192.168.5.126 https 172.y.x.5 https netmask
255.255.255.255
static (inside,outside) tcp 192.168.5.126 www 172.y.x.5 www netmask
255.255.255.255
static (inside,outside) tcp 192.168.5.126 smtp 172.y.x.5 smtp netmask
255.255.255.255
static (inside,outside) tcp 192.168.5.126 pop3 172.y.x.5 pop3 netmask
255.255.255.255

R1
===

interface GigabitEthernet0/0
ip address 192.168.10.13 255.255.255.0
ip nat inside
ip virtual-reassembly

interface GigabitEthernet0/1
ip address 192.168.5.122 255.255.255.248
ip nat outside
ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 192.168.5.121
ip route 192.168.5.126 255.255.255.255 192.168.10.2

ip nat inside source list 100 interface GigabitEthernet0/1 overload

access-list 100 permit ip 172.y.x.0 0.0.0.255 any

My host device on 172.y.x.5 was translated for www, https and smtp traffice
on the firewall, and there is a nat overload translation for 172.y.x.0/24
network on the router. For outbound traffic, I believe the host 172.y.x.5
should have been translated to 192.168.5.126 for smtp, https and www traffic
before it gets to the router, but that is not the case. On using access-list
to check the log on my router, it still have a source address of 172.y.x.5
and later translated to 192.168.5.122 to the outside. Moreover, I can telnet
to my host device from the outside on port 80,443 and 25 using its global ip
address. What could be the course of this and how do I resolve this?

Thank you.

Mayor

-- 
Olumayokun Fowowe
Blogs and organic groups at http://www.ccie.net

Received on Tue Mar 23 2010 - 13:01:05 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART