Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 1433 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT/SNAT configuration problem

dedi_e
Hello,
I'm trying to configure DNAT but, it doesn't really work.
I have two networks:
eth1/external: 199.203.250.107
eth0/internal: 192.168.2.1

I have an FTP server on 192.168.2.101 which I want to access from the outside world.

Currently the packet filtering rule says:
any any any allow

So the packet filtering allows any traffic.

I have a masquerade NAT to allow all 192.168.2.X network to access the outside world.

I configured the DNAT as follows:

sourec: All Destenation: 199.203.250.222 (the orig dest)

new source: not altered 
new destenation: 192.168.2.101

The default GW is configured correctly because I can view web pages from 192.168.2.101.

The Problem is that no traffic from the outside can access the FTP server.


This thread was automatically locked due to age.
Parents
  • 0
    You should be using the IP address of your External Interface, unless you have configured ASL with an alias, and the IP address happens to be 199.203.250.222.  If not, then you will have to use the 199.203.250.107 address.
  • 0 in reply to Chris Lynch
    1. apply DNAT rule

    FROM    TO            SRC-trans     DEST-trans
    ANY --> EXTERN /FTP   NONE          INTERN/FTP

    2. simple SNAT Rule
    INTERN--> ANY/ ANY    EXTERN         NONE

    3. Packet filter rule
    From    Service  To      Action
    ANY     FTP     INTERN   ALLOW

    That should do it
    Remember DNAT happens before packetfiltering and SNAT after.
Reply
  • 0 in reply to Chris Lynch
    1. apply DNAT rule

    FROM    TO            SRC-trans     DEST-trans
    ANY --> EXTERN /FTP   NONE          INTERN/FTP

    2. simple SNAT Rule
    INTERN--> ANY/ ANY    EXTERN         NONE

    3. Packet filter rule
    From    Service  To      Action
    ANY     FTP     INTERN   ALLOW

    That should do it
    Remember DNAT happens before packetfiltering and SNAT after.
Children
No Data