rocketlauncher
Programmer
Good Afternoon All.
We need for an outside host to send data to an internal host thru TCP ports. I see the htcnt for the defined ACL incrementing and the log shows "%FWSM-7-302014: Teardown TCP connection" on both firewalls when using traditional one to one static NAT. But for some reason the units are not able to connect.
I noticed when the packet is received it the FW, the source IP is a public IP. So I'm suspecting asymmetrical routing is the issue. As FW2 uses another way out to reach the internet. So what I'm trying to do, is force all traffic sourced from the public and destined to the internal host to be returned thru the same path it originated from. This by changing the source IP of the Nated Public IP Address to an internal Source IP that way FW2 can send the return traffic back the same path. I've read policy NAT and it look this is the way to go but can't get it to work.
Hopefully the explanation made sense.
-----
<OutisdeHost>--<RTR1>--<FW1>--MPLS--<RTR2>--<FW2>--<InternalHost>
a)Outside host sends data to: 99.99.99.99 (Public Source IP)
b)99.99.99.99 Nated to 88.88.88.88 (Internal Source IP)
c)88.88.88.88 sends data to 77.77.77.77 (Internal Host)
d)77.77.77.77 send data back to 88.88.88.88 ant out thru 99.99.99.99
access-list OUTSIDE extended permit tcp any host 99.99.99.99 tcp 9876
access-list ACL1 extended permit ip 99.99.99.99 77.77.77.77
static (OUTSIDE,inside) 88.88.88.88 access-list ACL1
----
When I configure Policy NAT the ACL htcnt doesn't increment at all. So I'm sure I'm missing something.
Hopefully someone can assist.
Thanks in advance.
We need for an outside host to send data to an internal host thru TCP ports. I see the htcnt for the defined ACL incrementing and the log shows "%FWSM-7-302014: Teardown TCP connection" on both firewalls when using traditional one to one static NAT. But for some reason the units are not able to connect.
I noticed when the packet is received it the FW, the source IP is a public IP. So I'm suspecting asymmetrical routing is the issue. As FW2 uses another way out to reach the internet. So what I'm trying to do, is force all traffic sourced from the public and destined to the internal host to be returned thru the same path it originated from. This by changing the source IP of the Nated Public IP Address to an internal Source IP that way FW2 can send the return traffic back the same path. I've read policy NAT and it look this is the way to go but can't get it to work.
Hopefully the explanation made sense.
-----
<OutisdeHost>--<RTR1>--<FW1>--MPLS--<RTR2>--<FW2>--<InternalHost>
a)Outside host sends data to: 99.99.99.99 (Public Source IP)
b)99.99.99.99 Nated to 88.88.88.88 (Internal Source IP)
c)88.88.88.88 sends data to 77.77.77.77 (Internal Host)
d)77.77.77.77 send data back to 88.88.88.88 ant out thru 99.99.99.99
access-list OUTSIDE extended permit tcp any host 99.99.99.99 tcp 9876
access-list ACL1 extended permit ip 99.99.99.99 77.77.77.77
static (OUTSIDE,inside) 88.88.88.88 access-list ACL1
----
When I configure Policy NAT the ACL htcnt doesn't increment at all. So I'm sure I'm missing something.
Hopefully someone can assist.
Thanks in advance.