Access Only working one way

We have a Vyatta firewal between two networks. On the inside we have a 192.168.100.x/24 network. On the outside we have multiple networks including 10.100.5.x/24. the 192.168.100.x/24 addresses are antted to 10.100.108.x/24 networks which are being routed to the 10.100.5.x/24 network on the outside. We have an ACL allowing 10.100.5.x/24 hosts to hosts on the 192.168.100.x/24 hosts via their natted 10.100.108.x/24 addresses and we can generate traffic that way but cannot go the other way from the 192.168.100.o hosts to the 10.100.5.0 hosts.

Sorry this is the vyos forum. It does sound like you do not have a route back on the 2nd system or your dst-nat is incorrect.

We have a route in place on the outside for 10.100.108.0/24 network to be able to reach the 10.100.5.0/24 network. From vyos I can ping the hosts in the 10.100.5.0/24 network that I cannot reach from the hosts on the inside of the OS which indicates it is something configured incorrectly on the vyos. Below is the NAT config on the vyos.

nat {
destination {
rule 10 {
destination {
address 10.100.108.6
}
inbound-interface eth0
translation {
address 192.168.100.130
}
}
rule 20 {
destination {
address 10.100.108.7
}
inbound-interface eth0
translation {
address 192.168.100.5
}
}
rule 30 {
destination {
address 10.100.108.8
}
inbound-interface eth0
translation {
address 192.168.100.6
}
}
rule 40 {
destination {
address 10.100.108.3
}
inbound-interface eth0
translation {
address 192.168.100.11
}
}
rule 50 {
destination {
address 10.100.108.4
}
inbound-interface eth0
translation {
address 192.168.100.12
}
}
}
source {
rule 10 {
outbound-interface eth0
source {
address 192.168.100.130
}
translation {
address 10.100.108.6
}
}
rule 20 {
outbound-interface eth0
source {
address 192.168.100.5
}
translation {
address 10.100.108.7
}
}
rule 30 {
outbound-interface eth0
source {
address 192.168.100.6
}
translation {
address 10.100.108.8
}
}
rule 40 {
outbound-interface eth0
source {
address 192.168.100.11
}
translation {
address 10.100.108.3
}
}
rule 50 {
outbound-interface eth0
source {
address 192.168.100.12
}
translation {
address 10.100.108.4

Did you confirm the traffic hits the interface on both sides?

All hosts on the outside can reach the inside hosts where none of the inside hosts can reach the outside hosts. On the outside interface there are the natted 10.100.108.0 network addresses. From the inside hosts I can ping all of these but no further so yes they are hitting the interface just not getting past it. Is that what you are referring to? I have pasted full config below:

vyos XXXXXXX:~$ sh config
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group allowed-servers {
address 10.100.6.110
address 10.100.6.28
address 10.100.5.90
address 10.100.6.17
address 10.100.5.21
address 10.100.5.71
address 10.100.5.44
description “Allowed Servers to XXXX”
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name inside_in {
default-action drop
rule 10 {
action accept
destination {
address 10.100.0.0/16
}
icmp {
type-name echo-reply
}
protocol icmp
source {
address 192.168.100.0/24
}
}
}
name outside_in {
default-action drop
rule 10 {
action accept
destination {
address 192.168.100.0/24
}
log disable
source {
group {
address-group allowed-servers
}
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
established {
action accept
}
invalid {
action drop
}
related {
action accept
}
}
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 10.100.108.5/24
address 10.100.108.6/24
address 10.100.108.7/24
address 10.100.108.8/24
address 10.100.108.3/24
address 10.100.108.4/24
description “Outside interface facing XXXXX network”
duplex auto
firewall {
in {
name outside_in
}
}
hw-id 00:50:56:b5:3b:69
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.100.1/24
description “Inside XXXX”
duplex auto
firewall {
in {
name inside_in
}
}
hw-id 00:50:56:b5:3b:6a
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
destination {
rule 10 {
destination {
address 10.100.108.6
}
inbound-interface eth0
translation {
address 192.168.100.130
}
}
rule 20 {
destination {
address 10.100.108.7
}
inbound-interface eth0
translation {
address 192.168.100.5
}
}
rule 30 {
destination {
address 10.100.108.8
}
inbound-interface eth0
translation {
address 192.168.100.6
}
}
rule 40 {
destination {
address 10.100.108.3
}
inbound-interface eth0
translation {
address 192.168.100.11
}
}
rule 50 {
destination {
address 10.100.108.4
}
inbound-interface eth0
translation {
address 192.168.100.12
}
}
}
source {
rule 10 {
outbound-interface eth0
source {
address 192.168.100.130
}
translation {
address 10.100.108.6
}
}
rule 20 {
outbound-interface eth0
source {
address 192.168.100.5
}
translation {
address 10.100.108.7
}
}
rule 30 {
outbound-interface eth0
source {
address 192.168.100.6
}
translation {
address 10.100.108.8
}
}
rule 40 {
outbound-interface eth0
source {
address 192.168.100.11
}
translation {
address 10.100.108.3
}
}
rule 50 {
outbound-interface eth0
source {
address 192.168.100.12
}
translation {
address 10.100.108.4
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.100.108.1 {
}
}
}
}
service {
ssh {
listen-address 10.100.108.5
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
domain-name XXXXXXXX
host-name XXXXXXX
login {
user XXXXXXXX {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name “XXXXXX”
level admin
}
user vyos {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.XXXXXXXX {
}
server 1.XXXXXXXX {
}
server 2.XXXXXXX {
}
server 10.100.2.253 {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************

        username ""
    }
}
syslog {
    global {
        facility all {
            level notice
        }
        facility protocols {
            level debug
        }
    }
}
time-zone US/Eastern

Your outside and inside addresses are RFC1918, why are you using NAT at all?
All traffic which is not local goes via 10.100.108.1/32 and if the src is 192.168.100.x it’s natted to a 10.100.108.x/32 correct? You can avoid nat if you can add a route on 10.100.108.1/32 for 192.168.100/24 via 10.100.108.5/32 for instance. Any address (if directly connected to 10.100.108.1 would work). The nat rules look ok as far as I see, while I don’t understand why you are making it that complicated if you are with RFC1918 space anyway. Do you have fw logs enabled? Do they show anything obvious?

I understand what you are saying about NAT not being necessary between 192.168.100.0/100 and 10.100.108.0/24 networks but that doesn’t explain why traffic works only going one way. The vyos is the only thing between these two networks and whether we’re using NAT or a route on host 10.100.108.1 pointing to the 192.168.100.0/24 network via host 10.100.108.5 the traffic should flow in both directions but right now we can only go from 10.100.108.0/24 hosts on the outside to the 192.168.100.0/24 hosts on the inside via their 10.100.108.0/24 natted addresses. This does not make any sense and as I said there is nothing between these two networks other than the vyos. I did a show log on the vyos and the only message was: Nov 25 10:37:55 NWWTFFW1 ntpd_intres[2741]: host name not found: 0.pool.ntp.org

NAT is more or less just looking ugly but not a problem when it comes down to the traffic flow unless your NAT table overflows. You need to determine if the traffic reaches the routers as they are supposed to to, that way you know routing works, then move on and check if the NAT rule is setup correctly. I took parts from your config above and can’t reproduce your problem. You may also want to upgrade to 1.2.x since 1.1.x is EOL.

I do not think that the NAT is working properly on the VYOS for traffic going from the 192.168.100.0/24 network as a source. I ran a show nat dest translations and a show nat source translations and got the below out put:

vyos@XXXXXXXX:~ sh nat dest translations Pre-NAT Post-NAT Prot Timeout 10.100.108.6 192.168.100.130 tcp 431404 10.100.108.7 192.168.100.5 icmp 29 10.100.108.6 192.168.100.130 tcp 431940 vyos@XXXXXXXX:~ sh nat source translations
Pre-NAT Post-NAT Prot Timeout
10.100.95.11 10.100.95.11 icmp 29

The outside facing interface facing the 10.100.108.0/24 network is where the nat is occuring and when there is traffic coming from that side with 10.100.108.0/24 addresses as the destination the dest nat is working and the addresses are translated to 192.168.100.0/24 addresses. However when traffic is sourced from the 192.168.100.0/24 addresses destined for anything in the 10.100.108.0/24 network there are no source translations going on. Even if the issue was on the network beyond th vyos wouldn’t I expect to see these translations in the vyos on the eth0 interface?