topic Source NAT confusion in General Topics

Source NAT confusion

cdpadmin — Mon, 09 Apr 2012 21:54:27 GMT

I am trying to provide for some 1-to-1 NAT on our PAN, which I thought we be an easy task. However, my configuration insist on using the interface IP address for outbound connections. Here is my setup.

Untrusted Network Interface IP: x.x.x.10/29

Trusted Network Interface IP: y.y.y.4/16

Mail Server Public IP: x.x.x.12/32

Mail Server Private IP: y.y.y.50/32

Security_Policy_1

source zone: trusted

source address: y.y.y.50/16

destination zone: untrusted

destination address: any

NAT_Policy_1

Orginal Packet Source Zone: trusted

Original Packet Destination Zone: untrusted

Original Packet Source Address: x.x.x.12/32

Translated Packet: Static IP

Translated Address: y.y.y.50.32

Bi-Directional: yes

Viewed from the mail server, it uses the interface IP to communicate, rather than the desired mail server's IP. Where am I going wrong here? Thank you

Michael

Re: Source NAT confusion

mikand — Mon, 09 Apr 2012 22:56:15 GMT

Checkout if:

can be of any help (specially example3 DMZ server outbound to Internet)?

If im not mistaken the security rule is applied before SNAT happens which means you should use the real ip of the server and not the SNATed ip (compared to DNAT who happens before security rules are checked which means that security rules must act on the DNATed ip).

Re: Source NAT confusion

akhan — Mon, 09 Apr 2012 23:32:55 GMT

Hi Michael,

To map the Mail Server Private IP: y.y.y.50/32 to the Mail Server Public IP: x.x.x.12/32, you bi-directional NAT configurations should look like this:

NAT_Policy_1

Orginal Packet Source Zone: trusted

Original Packet Destination Zone: untrusted

Original Packet Source Address: y.y.y.50/32

Translated Packet: Static IP

Translated Address: x.x.x.12/32

Bi-Directional: yes

Changes higlighed in BOLD.

Also make sure that your more specific NAT entries (statics, bi-directionals) are at the top of the NAT policies and you more generic outbound NAT policies are at the bottom.

Thanks,

Ahsan

Re: Source NAT confusion

cdpadmin — Wed, 11 Apr 2012 00:50:22 GMT

That was very helpful and allowed the server to web-browse using the correct IP address.
That same server is not available from the Internet. I created an inbound security rule

Mail Server Public IP: x.x.x.12/32

Mail Server Private IP: y.y.y.50/32

Security_Policy_2

source zone: untrusted

source address: any

destination zone: trusted

destination address: x.x.x.12/32

I also tried

Security_Policy_2

source zone: untrusted

source address: any

destination zone: trusted

destination address: y.y.y.50/32

Neither is getting me there.
Thank you,
Michael

Re: Source NAT confusion

mikand — Wed, 11 Apr 2012 06:13:24 GMT

What does your traffic log tell you?

Re: Source NAT confusion

cdpadmin — Thu, 12 Apr 2012 21:25:36 GMT

With some expert advise, I was able to complete this task. Essentially, don't use the bi-directional translation option and use two distinct rules, one for inbound and one for outbound.