topic Re: VIP(NAT) configuration problem? in General Topics

VIP(NAT) configuration problem?

inforte — Tue, 21 Dec 2010 07:11:39 GMT

Hi, I have a little problem

Consider that we have a server A with the ip address 10.

And server B with the IP adress 20.

And a real IP address of 100.

İ want to set up a NAT, that if a web service comes to ip 100, it would forward this to 10

And if a mail service comes to ip 100 it would forward it to 20.

And would like to both servers to go out with the ip address of 100.

How can i make this?

İ made rule of

dest 100 with service 80 destination nat static to 10

dest 100 with service 25 destination nat static to 20

source 10 any any sourcenat to static 100

source 20 any any sourcenat to static 100

what am i missing here?

after reading couple of documents i have changed the configuration like,

from zone internet to zone internet dest 100 with service 80 destination nat to 10

from zone internet to zone internet dest 100 with service 25 destination nat to 20

and removed the other two rules but nothing changed.

thanks in advance,

Re: VIP(NAT) configuration problem?

reaper — Tue, 21 Dec 2010 10:03:29 GMT

have you also set the security policy as

internet - internal - any - 10 - port 80 (or application web-browsing)

internet - internal - any - 20 - port 25 (or application smtp)

(security rules are post-NAT, so the internal ip's are used)

rgds

Tom

Re: VIP(NAT) configuration problem?

inforte — Tue, 21 Dec 2010 11:48:46 GMT

nope i have set the rules like

from internet to internal destination external IP for service(web/smtp) allow.

you mean i should do it like

from internet to internal destination "internal IP" for service (web/smtp) allow.

right?

i will try and let you know.

thanks..

Re: VIP(NAT) configuration problem?

skrall — Tue, 21 Dec 2010 16:16:10 GMT

Change the source zone and the destination zone to be "Internet".

You can verify the traffic using :

show session all filter source 1.1.1.1

This will provide a list of session IDs associated with the 1.1.1.1 address and tell you the application.

View the individual session using:

show session id ###

This will show you the details, ingress and egress interfaces, NAT and Security rules processing the packet.

Make sure you have a secusity rule that allows from the outside or internet to the inside of your network for the ports or IP addresses mentioned in your NAT rules.

Steve Krall

Re: VIP(NAT) configuration problem?

kbrazil — Tue, 21 Dec 2010 16:16:16 GMT

Security rules are post-nat, but NAT is not actually implemented until packet egress. This means that for the inbound, destination-nat packets the external IP's should be used in the policy. For the outbound initiated traffic the internal IP's should be used in the security policy.

The NAT rules are only for the direction the traffic is initiated. Traffic initiated from the Internet will be destination-natted and the return traffic in the same session will correctly use the same natted IP as the source IP. Traffic initiated from the internal network will not hit the first two VNAT rules so you will need an outbound NAT rule. You can have a single source-nat rule that encompasses both internal IP's for your purposes.

How exactly is it not working? Are packets not hitting the Security Policy? Do you see them in the logs but with the incorrect NAT IP's in the details?

Cheers,

Kelly

Re: VIP(NAT) configuration problem?

reaper — Thu, 23 Dec 2010 09:10:39 GMT

this isue was actually related to mac address table on the routing device in front of the firewall

important thing to remember: reset mac table on devices that store mac addresses (router, switch,...) if you replace a firewall

Re: VIP(NAT) configuration problem?

inforte — Thu, 23 Dec 2010 09:16:23 GMT

thanks for your help guys.