topic Natting IP address for not DC network in General Topics

Natting IP address for not DC network

dkurochkin — Wed, 03 Mar 2021 21:09:53 GMT

hello

Need natting at fw-1 some hosts which is in aubnet connected to fw-2

we have ClusterXL 5800 gw and some direct connection networks for him and NAT realized here

so
we have ClusterXL 5600 gw and want to realized NAT here for all networks behind clusterXL 5800 (do it for more secure ;0)

cXL 5800 conected with cXL 5600 by 172.19.19.0/29 network

and cXL 5600 have route to networks behind clusterXL 5800

when, for example, at 5600 ping 10.150.50.10 - success, when ping hpe.com - success
thus 5600 have conncect for internal and external networks

# 10.150.50.10 -> 193.100.200.74 (web server)

so
do auto NAT 10.150.50.10 -> 193.100.200.74 for cXL 5800 (only) - and check it

All ok, its works

so
do auto NAT 10.150.50.10 -> 193.100.200.74 for cXL 5600 (only) - and check it

when I try to connect 193.100.200.74 (web server) at external - not worked, not connect. I saw by logs,(by SMS) how NAT rule worked at cXL 5600, but to ended destination didnt get it

how to do it ?
how to get autoNat for 5600 and get answer for 193.100.200.74 (web server) ?

thx

Re: Natting IP address for not DC network

PhoneBoy — Sat, 06 Mar 2021 01:22:02 GMT

The only thing that's clear is that you have a subnet (10.150.50.0/24) behind a 5800.
From your 5800, there is a line that forks in two directions:

A line that goes to the 5600 (presumably the 172.19.19/0 subnet)
A line that goes straight to the "noname border gateway."

What is the precise connectivity here?
Is this a single interface with two IPs (only way this can logically work)?
Is this two different interfaces?
Are the 5600, 5800, and the noname border gateway actually connected to the same physical switch and on the same logical network?
Please clarify this situation.

If only your 5600 is on the same subnet as the noname border gateway then it must ultimately do the NAT between private and public address space.
The 5800 cannot do that in this case.

Re: Natting IP address for not DC network

dkurochkin — Mon, 08 Mar 2021 17:45:25 GMT

I'm so sorry gor my bad draw

of course 5800 have more than 1 interface

for example, bond1.3070 - for 5600, and bond1.3089 for noname router

how it work now:
internal network by 5800, natting by 5800 and go to internet by 5800 trough noname border router

what i want:
internal network by 5800, natting by 5600 and go to internet by 5600 trough noname border router, at 5800 remove interface bond1.3089 for noname router

Re: Natting IP address for not DC network

PhoneBoy — Mon, 08 Mar 2021 19:16:45 GMT

I don’t see why that wouldn’t work provided you:

Change the default route on the 5800 to point to the 5600.
Actually remove the VLAN (not just disable it) for the no name router from the 5800.
Configure NAT only on the 5600, not the 5800.

If it’s not working, I’d run tcpdump on the 5800 and 5600 to see that the traffic is being routed out the correct interface and the NAT is happening at the right place.