Meraki

Community

1 to Many NAT to another network not working

Solved
Sidnei_Marques
Here to help
‎Mar 11 2021 12:01 PM
‎Mar 11 2021 12:01 PM

1 to Many NAT to another network not working

Hi guys, please anyone can help me on this ?

 

I Have a DVR in a remote network (via sdwan) i Can reach the DVR via my local network , but when try to access it from outside it's not working

 

Sidnei_Marques_0-1615492649482.png

 

the static route

 

Sidnei_Marques_1-1615492789515.png

 

the capture:

 

Sidnei_Marques_2-1615492906647.png

 

0 Kudos
1 Accepted Solution
In response to Sidnei_Marques
Bruce
Kind of a big deal
‎Mar 14 2021 7:09 PM
‎Mar 14 2021 7:09 PM

Okay, not being able to specify the source interface for the Ping from a MX is just to do with the firmware version. 

 

The summary of what you've proven so far is the following:

 

  1. There is a path from the MXs LAN interface (192.168.235.170) to and from the DVR since you are able to ping the DVR from your machine when on the same subnet.
  2. The MX is correctly performing the port map from the outside to the inside; you've shown traffic captures of traffic to x.126.204.197:8014 from the WAN, and captures to 192.168.3.14:8014 from the LAN interface.

In all cases of traffic coming from outside the WAN only SYN packets are ever seen, no return traffic is seen.

 

Between the MX and the DVR (if my understanding is correct) there is a Fortigate device providing SD-WAN services, and a ASA in front of the subnet that the DVR is on.

 

My gut feel at this point in time is that the reverse path for traffic from the DVR back to the MX is broken for public IP addresses (remember that the port map doesn't change the source IP address of the incoming packet, only the destination). This is going to be on either the Fortigate or the ASA. Although they correctly route traffic back to the 192.168.235.0/24 network, they're not routing public IP addresses back (e.g. 189.53.34.42).

 

It is entirely possible that there is a firewall/ACL blocking the traffic, but more likely I'd go with a routing issue.

 

You'll need to troubleshoot this from the other end, either the DVR, the ASA or the Fortigate (the closer to the DVR the better), to see if you can route traffic out to the internet via the MX.

View solution in original post

12 Replies 12
Bruce
Kind of a big deal
‎Mar 11 2021 12:39 PM
‎Mar 11 2021 12:39 PM

Looks like you’re doing a port forward from the WAN IP address of the MX to 192.168.14.3. Is there a route towards that network on the MX? The route you’ve posted is for 192.168.15.0/24, which doesn’t encompass the address in the port map.

0 Kudos
In response to Bruce
Sidnei_Marques
Here to help
‎Mar 11 2021 12:41 PM
‎Mar 11 2021 12:41 PM

Hi Bruce, Wrong printscreen, but there are a route to the 192.168.14.0/24 network...

0 Kudos
In response to Sidnei_Marques
Bruce
Kind of a big deal
‎Mar 11 2021 12:46 PM
‎Mar 11 2021 12:46 PM

Can you do a longer capture (maybe on the LAN interface of the MX?) to see what responses are coming back from the DVR, if any. That packet only appears to be the SYN of the TCP handshake, or is that all you are seeing?

 

Are there any ACLs or firewalls on the DVR itself to prevent access from public IP addresses (or unknown IP addresses)?

0 Kudos
In response to Bruce
Sidnei_Marques
Here to help
‎Mar 11 2021 1:16 PM
‎Mar 11 2021 1:16 PM

Here a capture of the LAN interface, the DVR LAN has an ASA, but it's not blocking incoming connections

 

Sidnei_Marques_0-1615497260079.png

 

capturing on WAN Interface gives me just the same thing

0 Kudos
In response to Sidnei_Marques
Bruce
Kind of a big deal
‎Mar 12 2021 12:56 AM
‎Mar 12 2021 12:56 AM

Have a look on the ASA and the DVR if you can as it looks like there is nothing at all coming back from the other end. It’s most likely either a routing issue from the MX - either to or from the DVR - so try pinging each device you expect in the path from the MX until you get a failure (starting with 172.20.20.1), or it’s a firewall/access-list.

 

Does the ASA have a default route for unknown IP addresses?

0 Kudos
In response to Bruce
Sidnei_Marques
Here to help
‎Mar 12 2021 1:25 PM
‎Mar 12 2021 1:25 PM

Bruce, I Can ping 172.20.20.1 (SDWAN GW), but I can't ping the remote DVR 192.168.14.3

Sidnei_Marques_0-1615584088987.png

 

ASA route is set to Any inbound....

 

But I can ping the DVR from my local network (same of MX)

 

Sidnei_Marques_1-1615584274913.png

 

Sidnei_Marques_2-1615584325694.png

 

Thank 4 you support pal

0 Kudos
In response to Sidnei_Marques
Bruce
Kind of a big deal
‎Mar 12 2021 2:35 PM
‎Mar 12 2021 2:35 PM

Is 172.20.20.1 the ASA, or is the ASA after that gateway?

Which Source IP did you use when you did the ping from the MX?

 

 

0 Kudos
In response to Bruce
Sidnei_Marques
Here to help
‎Mar 14 2021 5:43 AM
‎Mar 14 2021 5:43 AM

172.20.20.1 is the SDWAN GW (fortigate) it just passes the packets to the remote host/DVR (192.168.14.3)

 

in the MX68 I can't set the 'source' IP, I just put the IP address here

Sidnei_Marques_0-1615725791078.png

 

the MX IP is 192.168.235.170

0 Kudos
In response to Sidnei_Marques
Bruce
Kind of a big deal
‎Mar 14 2021 7:09 PM
‎Mar 14 2021 7:09 PM

Okay, not being able to specify the source interface for the Ping from a MX is just to do with the firmware version. 

 

The summary of what you've proven so far is the following:

 

  1. There is a path from the MXs LAN interface (192.168.235.170) to and from the DVR since you are able to ping the DVR from your machine when on the same subnet.
  2. The MX is correctly performing the port map from the outside to the inside; you've shown traffic captures of traffic to x.126.204.197:8014 from the WAN, and captures to 192.168.3.14:8014 from the LAN interface.

In all cases of traffic coming from outside the WAN only SYN packets are ever seen, no return traffic is seen.

 

Between the MX and the DVR (if my understanding is correct) there is a Fortigate device providing SD-WAN services, and a ASA in front of the subnet that the DVR is on.

 

My gut feel at this point in time is that the reverse path for traffic from the DVR back to the MX is broken for public IP addresses (remember that the port map doesn't change the source IP address of the incoming packet, only the destination). This is going to be on either the Fortigate or the ASA. Although they correctly route traffic back to the 192.168.235.0/24 network, they're not routing public IP addresses back (e.g. 189.53.34.42).

 

It is entirely possible that there is a firewall/ACL blocking the traffic, but more likely I'd go with a routing issue.

 

You'll need to troubleshoot this from the other end, either the DVR, the ASA or the Fortigate (the closer to the DVR the better), to see if you can route traffic out to the internet via the MX.

In response to Bruce
Sidnei_Marques
Here to help
‎Mar 17 2021 10:06 AM
‎Mar 17 2021 10:06 AM

Hey Bruce, It was an ACL on the FortiGate appliance (in charge of our partner).

 

Now it's working fine.

 

Many thanks for your support !!!

0 Kudos
In response to Sidnei_Marques
Bruce
Kind of a big deal
‎Mar 17 2021 12:48 PM
‎Mar 17 2021 12:48 PM

Great to hear, glad you got it working.

0 Kudos
In response to Bruce
Sidnei_Marques
Here to help
‎Mar 11 2021 12:42 PM
‎Mar 11 2021 12:42 PM

Sidnei_Marques_0-1615495358946.png

This is a Static route

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.