Re: OT: NAT Translation Problem

Thanks Segun. I appreciate.

On Tue, Mar 23, 2010 at 9:01 PM, 'Segun Daini <segundaini_at_yahoo.com> wrote:

> The result is normal.
>
> When you initiate an http request from 172.y.x.5, the port on 172.y.x.5 is
> random and not tcp/80, while the port on the destination is 80. and the
> xlate entry exists only for 172.y.x.5:80. Same applies to the rest.
>
>
> On the other way, when you initiate and http request to 192.168.5.126, its
> matches ur xlate entry for 192.168.5.126:80.
>
> Regards.
>
> ------------------------------
> *From:* olumayokun fowowe <olumayokun_at_gmail.com>
> *To:* Cisco certification <ccielab_at_groupstudy.com>
> *Sent:* Tue, March 23, 2010 11:06:05 AM
> *Subject:* OT: NAT Translation Problem
>
> Hello All,
>
> I have the scenario below:
>
>
> ------inside(172.y.x.0/24)----------FW----------outside----------R1------------
>
> on the firewall, I have the following configuration:
>
> FW
> ====
> interface GigabitEthernet0/0
> nameif outside
> security-level 0
> ip address 192.168.10.2 255.255.255.0
>
> route outside 0.0.0.0 0.0.0.0 192.168.10.13 3
>
> static (inside,outside) tcp 192.168.5.126 https 172.y.x.5 https netmask
> 255.255.255.255
> static (inside,outside) tcp 192.168.5.126 www 172.y.x.5 www netmask
> 255.255.255.255
> static (inside,outside) tcp 192.168.5.126 smtp 172.y.x.5 smtp netmask
> 255.255.255.255
> static (inside,outside) tcp 192.168.5.126 pop3 172.y.x.5 pop3 netmask
> 255.255.255.255
>
> R1
> ===
>
> interface GigabitEthernet0/0
> ip address 192.168.10.13 255.255.255.0
> ip nat inside
> ip virtual-reassembly
>
> interface GigabitEthernet0/1
> ip address 192.168.5.122 255.255.255.248
> ip nat outside
> ip virtual-reassembly
>
> ip route 0.0.0.0 0.0.0.0 192.168.5.121
> ip route 192.168.5.126 255.255.255.255 192.168.10.2
>
> ip nat inside source list 100 interface GigabitEthernet0/1 overload
>
> access-list 100 permit ip 172.y.x.0 0.0.0.255 any
>
> My host device on 172.y.x.5 was translated for www, https and smtp traffice
> on the firewall, and there is a nat overload translation for 172.y.x.0/24
> network on the router. For outbound traffic, I believe the host 172.y.x.5
> should have been translated to 192.168.5.126 for smtp, https and www
> traffic
> before it gets to the router, but that is not the case. On using
> access-list
> to check the log on my router, it still have a source address of 172.y.x.5
> and later translated to 192.168.5.122 to the outside. Moreover, I can
> telnet
> to my host device from the outside on port 80,443 and 25 using its global
> ip
> address. What could be the course of this and how do I resolve this?
>
> Thank you.
>
> Mayor
>
>
>
>
> --
> Olumayokun Fowowe
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>

-- 
Olumayokun Fowowe
Blogs and organic groups at http://www.ccie.net