Answer the question
In order to leave comments, you need to log in
S
S
Sergey2015-10-27 10:24:38
Sergey, 2015-10-27 10:24:38
Why doesn't static NAT work correctly on the Cisco 6500?
Is available Cisco 6500, FWSM version 3.2(2)
Clients of the VPN server go outside through the uuu.uuu.uuu.uuu interface.
The interface xxx.xxx.xxx.xxx provides external access to the IP camera.
access-list INCOMING extended permit tcp any host ххх.ххх.ххх.ххх eq www
access-list INCOMING extended permit icmp any host ххх.ххх.ххх.ххх
access-list OUTCOMING extended permit ip host 192.168.32.20 any
access-list OUTCOMING extended permit ip host 192.168.111.66 any
static (inside,outside) ууу.ууу.ууу.ууу 192.168.111.66 netmask 255.255.255.255
static (inside,outside) ххх.ххх.ххх.ххх 192.168.32.20 netmask 255.255.255.255
access-group OUTCOMING in interface inside
access-group INCOMING in interface outsideThere are no problems with the uuu.uuu.uuu.uuu (VPN) interface.
For some time after loading the interface config xxx.xxx.xxx.xxx NAT on it also works fine:
sh xlate
Global ууу.ууу.ууу.ууу Local 192.168.111.66
Global ххх.ххх.ххх.ххх Local 192.168.32.20After some time, access to the camera from the outside disappears, I do:
sh xlate
Global ууу.ууу.ууу.ууу Local 192.168.111.66
Global ххх.ххх.ххх.ххх Local ххх.ххх.ххх.хххAfter deleting the wrong entry from the translation table, work is restored for a while:
clear xlate Global ххх.ххх.ххх.ххх
sh xlate
Global ууу.ууу.ууу.ууу Local 192.168.111.66
Global ххх.ххх.ххх.ххх Local 192.168.32.20As I understand it, due to the presence of constant traffic on the VPN server, the corresponding entry from the translation table is never deleted. But access to the camera is periodic (it is for random checks), so after the lifetime expires, the corresponding translation record for the camera is removed from the table, but why then does it become invalid?
3 answer(s)
@KimFirst
Look at the subject of the timeout after which NAT stops working
by default (see config) - the time of any broadcast is three hours. Next - the lifetime of the connection without data exchange - an hour, after that the connection is torn by a cisco and the records about the shoulders of the connection are deleted.
if possible, try to get the camera to ping or poll something (dyndns, ntp, whatever)
or periodically "punch" it from the outside with packets.
you can certainly increase the timeouts, but these are already extreme measures, it is better to resort to them as a last resort (connection tables are not rubber, the longer the timeout, the longer they "hang" there. In the end, the reserve of records may run out, and the piece of iron will start drop packets without explanation)
And one more thing...
I don’t remember now, but do broadcasts work in the transparent firewall mode as in the classical case? Again, I repeat that I can’t guarantee the accuracy of the last judgment (I myself usually only filtered traffic in the “transparent” mode, I didn’t have fun with NAT - there were other pieces of iron for this)
@vvpoloskin
Give them in full, along with the first part.
Also clean ACL from the beginning. Extended ACL is better to use on the interface, and not on the rules for nata.
@KimFirst
O
Oleg, 2015-11-03 @KimFirst
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02Look at the subject of the timeout after which NAT stops working
by default (see config) - the time of any broadcast is three hours. Next - the lifetime of the connection without data exchange - an hour, after that the connection is torn by a cisco and the records about the shoulders of the connection are deleted.
if possible, try to get the camera to ping or poll something (dyndns, ntp, whatever)
or periodically "punch" it from the outside with packets.
you can certainly increase the timeouts, but these are already extreme measures, it is better to resort to them as a last resort (connection tables are not rubber, the longer the timeout, the longer they "hang" there. In the end, the reserve of records may run out, and the piece of iron will start drop packets without explanation)
And one more thing...
I don’t remember now, but do broadcasts work in the transparent firewall mode as in the classical case? Again, I repeat that I can’t guarantee the accuracy of the last judgment (I myself usually only filtered traffic in the “transparent” mode, I didn’t have fun with NAT - there were other pieces of iron for this)
V
Valentin, 2015-10-29 @vvpoloskin
I think the problem lies in these lines.
static (inside,outside) ууу.ууу.ууу.ууу 192.168.111.66 netmask 255.255.255.255
static (inside,outside) ххх.ххх.ххх.ххх 192.168.32.20 netmask 255.255.255.255Give them in full, along with the first part.
Also clean ACL from the beginning. Extended ACL is better to use on the interface, and not on the rules for nata.
S
Sergey, 2015-10-30 @KimFirst
What's wrong with these lines? What should be the first part? I followed the Cisco manual (section FWSM Configuration, static NAT), where in the example the static command is given and the ACL is set.
Here is the complete configuration of this FWSM context
FWSM Version 3.2(2) <context>
!
firewall transparent
hostname *****
domain-name net.***.***.ru
enable password ********* encrypted
names
!
interface Vlan2
nameif inside
bridge-group 1
security-level 100
!
interface Vlan5
nameif outside
bridge-group 1
security-level 0
!
interface BVI1
ip address 192.168.3.218 255.255.255.252
!
passwd ********** encrypted
object-group network localnets
network-object 10.0.0.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 127.0.0.0 255.0.0.0
network-object host 93.187.152.62
object-group network denyserv
network-object host 194.***.***.198
network-object host 194.***.***.33
network-object host 194.***.***.50
network-object host 194.***.***.60
network-object host 194.***.***.209
network-object host 194.***.***.234
network-object host 194.***.***.241
object-group network webservers
network-object 194.***.***.32 255.255.255.240
network-object 194.***.***.208 255.255.255.240
access-list INCOMING extended deny udp any any eq 1434 log errors
access-list INCOMING extended deny ip object-group localnets any log disable
access-list INCOMING extended deny ip any object-group localnets log disable
access-list INCOMING extended deny ip object-group denyserv any log errors
access-list INCOMING extended deny ip any object-group denyserv log errors
access-list INCOMING extended permit tcp any host 194.xxx.xxx.244 eq www
access-list INCOMING extended permit icmp any host 194.xxx.xxx.244
access-list INCOMING extended deny ip any any log errors
access-list OUTCOMING extended deny udp any any eq 1434 log errors
access-list OUTCOMING extended permit ip host 192.168.32.20 any
access-list OUTCOMING extended permit ip host 192.168.111.66 any
access-list OUTCOMING extended deny ip object-group localnets any log disable
access-list OUTCOMING extended deny ip any object-group localnets log disable
access-list OUTCOMING extended deny ip any any log errors
pager lines 24
logging enable
logging trap errors
logging asdm errors
logging facility 16
logging host inside 194.***.***.16
mtu inside 1500
mtu outside 1500
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
static (inside,outside) 194.yyy.yyy.243 192.168.111.66 netmask 255.255.255.255
static (inside,outside) 194.xxx.xxx.244 192.168.32.20 netmask 255.255.255.255
access-group OUTCOMING in interface inside
access-group INCOMING in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.3.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 194.***.***.240 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 194.***.***.0 255.255.255.192 inside
ssh 194.***.***.240 255.255.255.240 inside
ssh timeout 30
ssh version 2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 768
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Similar questions
Z
M
@
F
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question