I have an interesting issue with NAT translations (from my cisco router) to some local zones on my solaris box (running s10 patched relatively current). The global zone is on 172.20.1.32/27 as are a few of the non-global zones on this host. Other non-global zones are on 172.20.1.64/27 which in my design is the "outside" subnet -- a subnet specifically setup for hosts which I would like to make accessibe from the outside world. My issue is with NAT translations to machines on that subnet (for ease, we'll call that subnet B and the subnet with the global zone subnet A).
If I create a NAT rule to pass, say, port 22 on a non-global zone on subnet A through to the outside world (thus making one zone accessible via ssh), the connection works fine. However, if I modify the same rule to make the inside source host on subnet B (where the global zone does not live), the connection does not get forwarded through the firewall to the inside; I get "Connection Refused" messages. My first thought was that I had erred somehow in the configuration of the router. If I bring up another stand-alone machine on subnet B, and put an ip nat inside source rule in the router pointing at that second box on subnet B, the connection works fine. To summarise, assume the following: globalZone has IP 172.20.1.34/27 zone1 has IP 172.20.1.35/27 and has apache running. zone2 has IP 172.20.1.67/27 and has apache running. box2 has IP 172.20.1.70/27 and also just for a test has apache running a.b.c.d is the outside IP assigned by my provider. The following NAT rules work (one at a time, not all together obviously): ip nat inside source static tcp 172.20.1.35 80 a.b.c.d 80 ip nat inside source static tcp 172.20.1.70 80 a.b.c.d 80 However, the following (which is my intended configuration) does not work: ip nat inside source static tcp 172.20.1.67 80 a.b.c.d 80 I get "connection refused" when attempting to connect to the outside world. The router is able to connect to any and all machines on any and all appropriate ports. Any ideas where I may be able to look to determine what's not working as I expect with respect to the NAT translations that I want to present to the outside world? (I have ruled out by the test cases above and by consultation with others more knowledgeable than I any misconfiguration on the router itself.) Thanks in advance, -Coy This message posted from opensolaris.org _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
