1 to Many NAT to another network not working

SOLVED
Sidnei_Marques
Here to help

1 to Many NAT to another network not working

Hi guys, please anyone can help me on this ?

 

I Have a DVR in a remote network (via sdwan) i Can reach the DVR via my local network , but when try to access it from outside it's not working

 

Sidnei_Marques_0-1615492649482.png

 

the static route

 

Sidnei_Marques_1-1615492789515.png

 

the capture:

 

Sidnei_Marques_2-1615492906647.png

 

1 ACCEPTED SOLUTION

Accepted Solutions
Bruce
Kind of a big deal

Re: 1 to Many NAT to another network not working

Okay, not being able to specify the source interface for the Ping from a MX is just to do with the firmware version. 

 

The summary of what you've proven so far is the following:

 

  1. There is a path from the MXs LAN interface (192.168.235.170) to and from the DVR since you are able to ping the DVR from your machine when on the same subnet.
  2. The MX is correctly performing the port map from the outside to the inside; you've shown traffic captures of traffic to x.126.204.197:8014 from the WAN, and captures to 192.168.3.14:8014 from the LAN interface.

In all cases of traffic coming from outside the WAN only SYN packets are ever seen, no return traffic is seen.

 

Between the MX and the DVR (if my understanding is correct) there is a Fortigate device providing SD-WAN services, and a ASA in front of the subnet that the DVR is on.

 

My gut feel at this point in time is that the reverse path for traffic from the DVR back to the MX is broken for public IP addresses (remember that the port map doesn't change the source IP address of the incoming packet, only the destination). This is going to be on either the Fortigate or the ASA. Although they correctly route traffic back to the 192.168.235.0/24 network, they're not routing public IP addresses back (e.g. 189.53.34.42).

 

It is entirely possible that there is a firewall/ACL blocking the traffic, but more likely I'd go with a routing issue.

 

You'll need to troubleshoot this from the other end, either the DVR, the ASA or the Fortigate (the closer to the DVR the better), to see if you can route traffic out to the internet via the MX.

View solution in original post

12 REPLIES 12
Bruce
Kind of a big deal

Re: 1 to Many NAT to another network not working

Looks like you’re doing a port forward from the WAN IP address of the MX to 192.168.14.3. Is there a route towards that network on the MX? The route you’ve posted is for 192.168.15.0/24, which doesn’t encompass the address in the port map.

Sidnei_Marques
Here to help

Re: 1 to Many NAT to another network not working

Hi Bruce, Wrong printscreen, but there are a route to the 192.168.14.0/24 network...

Sidnei_Marques
Here to help

Re: 1 to Many NAT to another network not working

Sidnei_Marques_0-1615495358946.png

This is a Static route

 

Bruce
Kind of a big deal

Re: 1 to Many NAT to another network not working

Can you do a longer capture (maybe on the LAN interface of the MX?) to see what responses are coming back from the DVR, if any. That packet only appears to be the SYN of the TCP handshake, or is that all you are seeing?

 

Are there any ACLs or firewalls on the DVR itself to prevent access from public IP addresses (or unknown IP addresses)?

Sidnei_Marques
Here to help

Re: 1 to Many NAT to another network not working

Here a capture of the LAN interface, the DVR LAN has an ASA, but it's not blocking incoming connections

 

Sidnei_Marques_0-1615497260079.png

 

capturing on WAN Interface gives me just the same thing

Bruce
Kind of a big deal

Re: 1 to Many NAT to another network not working

Have a look on the ASA and the DVR if you can as it looks like there is nothing at all coming back from the other end. It’s most likely either a routing issue from the MX - either to or from the DVR - so try pinging each device you expect in the path from the MX until you get a failure (starting with 172.20.20.1), or it’s a firewall/access-list.

 

Does the ASA have a default route for unknown IP addresses?

Sidnei_Marques
Here to help

Re: 1 to Many NAT to another network not working

Bruce, I Can ping 172.20.20.1 (SDWAN GW), but I can't ping the remote DVR 192.168.14.3

Sidnei_Marques_0-1615584088987.png

 

ASA route is set to Any inbound....

 

But I can ping the DVR from my local network (same of MX)

 

Sidnei_Marques_1-1615584274913.png

 

Sidnei_Marques_2-1615584325694.png

 

Thank 4 you support pal

Bruce
Kind of a big deal

Re: 1 to Many NAT to another network not working

Is 172.20.20.1 the ASA, or is the ASA after that gateway?

Which Source IP did you use when you did the ping from the MX?

 

 

Sidnei_Marques
Here to help

Re: 1 to Many NAT to another network not working

172.20.20.1 is the SDWAN GW (fortigate) it just passes the packets to the remote host/DVR (192.168.14.3)

 

in the MX68 I can't set the 'source' IP, I just put the IP address here

Sidnei_Marques_0-1615725791078.png

 

the MX IP is 192.168.235.170

Bruce
Kind of a big deal

Re: 1 to Many NAT to another network not working

Okay, not being able to specify the source interface for the Ping from a MX is just to do with the firmware version. 

 

The summary of what you've proven so far is the following:

 

  1. There is a path from the MXs LAN interface (192.168.235.170) to and from the DVR since you are able to ping the DVR from your machine when on the same subnet.
  2. The MX is correctly performing the port map from the outside to the inside; you've shown traffic captures of traffic to x.126.204.197:8014 from the WAN, and captures to 192.168.3.14:8014 from the LAN interface.

In all cases of traffic coming from outside the WAN only SYN packets are ever seen, no return traffic is seen.

 

Between the MX and the DVR (if my understanding is correct) there is a Fortigate device providing SD-WAN services, and a ASA in front of the subnet that the DVR is on.

 

My gut feel at this point in time is that the reverse path for traffic from the DVR back to the MX is broken for public IP addresses (remember that the port map doesn't change the source IP address of the incoming packet, only the destination). This is going to be on either the Fortigate or the ASA. Although they correctly route traffic back to the 192.168.235.0/24 network, they're not routing public IP addresses back (e.g. 189.53.34.42).

 

It is entirely possible that there is a firewall/ACL blocking the traffic, but more likely I'd go with a routing issue.

 

You'll need to troubleshoot this from the other end, either the DVR, the ASA or the Fortigate (the closer to the DVR the better), to see if you can route traffic out to the internet via the MX.

View solution in original post

Sidnei_Marques
Here to help

Re: 1 to Many NAT to another network not working

Hey Bruce, It was an ACL on the FortiGate appliance (in charge of our partner).

 

Now it's working fine.

 

Many thanks for your support !!!

Bruce
Kind of a big deal

Re: 1 to Many NAT to another network not working

Great to hear, glad you got it working.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.