I have an interesting issue with NAT translations (from my cisco router) to 
some local zones on my solaris box (running s10 patched relatively current).  
The global zone is on as are a few of the non-global zones on 
this host.  Other non-global zones are on which in my design is 
the "outside" subnet -- a subnet specifically setup for hosts which I would 
like to make accessibe from the outside world.  My issue is with NAT 
translations to machines on that subnet (for ease, we'll call that subnet B and 
the subnet with the global zone subnet A).

If I create a NAT rule to pass, say, port 22 on a non-global zone on subnet A 
through to the outside world (thus making one zone accessible via ssh), the 
connection works fine.  However, if I modify the same rule to make the inside 
source host on subnet B (where the global zone does not live),  the connection 
does not get forwarded through the firewall to the inside; I get "Connection 
Refused" messages.  My first thought was that I had erred somehow in the 
configuration of the router.  If I bring up another stand-alone machine on 
subnet B, and put an ip nat inside source rule in the router pointing at that 
second box on subnet B, the connection works fine.

To summarise, assume the following:
globalZone has IP
zone1 has IP and has apache running.
zone2 has IP and has apache running.
box2 has IP and also just for a test has apache running
a.b.c.d is the outside IP assigned by my provider.

The following NAT rules work (one at a time, not all together obviously):

ip nat inside source static tcp 80 a.b.c.d 80 
ip nat inside source static tcp 80 a.b.c.d 80

However, the following (which is my intended configuration) does not work:
ip nat inside source static tcp 80 a.b.c.d 80

I get "connection refused" when attempting to connect to the outside world.  
The router is able to connect to any and all machines on any and all 
appropriate ports.

Any ideas where I may be able to look to determine what's not working as I 
expect with respect to the NAT translations that I want to present to the 
outside world? (I have ruled out by the test cases above and by consultation 
with others more knowledgeable than I any misconfiguration on the router 

Thanks in advance,

This message posted from opensolaris.org
zones-discuss mailing list

Reply via email to