1:1 NAT not working

podilarius

You are contradicting your self perhaps. Your wan cannot be /30 and your public a /29. Unlesss you are routing to one in the /30 in which case you have a routed setup and 1:1 nat is useless.

patelbhavin8008

Hi,

thanks for reply…

my ISP has provided me the IP address in this fashion.. our WAN IP is in /30 subnet that is 255.255.255.252 and 8 public ips are in /29 that is 255.255.255.248 subnet.

patelbhavin8008

WAN IP is as below

IP (for our end device) : XXX.XXX.XXX.34
Subnet                      : 255.255.255.252
Gateway (for wan ip)  : XXX.XXX.XXX.33

8 Public IPs
XXX.XXX.XXX.248
XXX.XXX.XXX.249
.
.
.
.
XXX.XXX.XXX.255

Subnet: 255.255.255.248

XXX.XXX.XXX series in all above ips are same, just difference is subnet

Please let me know how can i configure 1:1 NAT. I also had word with ISP he update that it will work with out any problem.

podilarius

If they are not routed, then you will need to proxyarp, as in a virtual ip, them prior to 1:1 NAT.

patelbhavin8008

Thanks for you support..

After your support and support from chat with forum i was able to configure the NAT and ICMP ping was succefully.

But just one difficulty i m facing here is 1:1 NAT between WAN and LAN is working fine. But 1:1 NAT between WAN and OPT1 is not successfully.

I have checked the firewall rules. below are the firewall rule applied for 1:1 NAT for configuration give with

WAN IP : xxx.xxx.xxx.252 (also virtual Ip created as type "Other" for this ip)
LAN IP : 10.10.20.60
OPT1 (DMZ) IP : 10.10.10.59

Firewall Rule for WAN
Proto     Source Port Destination           Port Gateway Queue
ICMP       * * 115.112.149.252       *     *         none
ICMP       * * 10.10.10.59               *     *          none
ICMP       * * 10.10.20.60          *     *         none

Firewall Rule for LAN
Proto     Source Port Destination           Port Gateway Queue
ICMP       * *       *                     *           *         none

Firewall Rule for OPT1(DMZ)
Proto     Source Port Destination           Port Gateway Queue
ICMP       * *       *                     *           *         none

Now if i configure 1:1 NAT for WAN and LAN i get ping succesful. But if i change IP 10.10.20.60 (LAN) to 10.10.10.59 (OPT1 - DMZ) then i do not get ping. Again if i change ip to LAN ping is successful.

can you please guide me where i m wrong.

podilarius

Let me preface this with, ping is not a good way to tell if things are working properly. I would test with http, ssh, or just about any tcp protocol services (aside from ftp). It would also be nice to know where you are pinging from.

patelbhavin8008

not only NAT but i also found now that even i am not able to access internet from OPT1 (DMZ) network. I can able to access internet from LAN but not from OPT1…

I tried one PC with LAN network subnet with gateway as LAN interface IP and my internet working fine.. but when i shift the same system in OPT1 network subnet and provides gateway as OPT1 interface ip then i my internet is not working.

podilarius

well according to the rules you posted, only ping is allowed out. you need to add a rule for outbound traffic from OPT1. There is not one by default, only on LAN is one created by default. The global rule is to block.

patelbhavin8008

Hi,

I checked firewall rules i have dont find any such rule for LAN even.. can you just guide me where i should put this outbound rule..

podilarius

The rule should be in LAN and OPT1 that basically says that from LAN/OPT1 Net to any is allowed.