topic Re: Security Policy's and NAT in General Topics

Security Policy's and NAT

mavant — Tue, 12 Feb 2013 19:33:58 GMT

Hi,

I Have configured a BYOD wireless ssid that is being forced to the internet via a port on our 2050. I am trying to get the network to be able to contact our mail server for exchange on mobile devices and also to have access to our content server redirect page. Our internal IP address for the BYOD is in the 172.x.x.x range. I am NATing these ip's to a public 204.x.x.x address.

The two servers I need to have these devices access both have NATed public IP addresses and are located on our internal network. I have tried setting up policies that utilize the source zone as the BYOD zone I created and the source address is the IP range of the BYOD internal network. For the destination I have tried both the internal IP of the servers and the Public NAT ip of the servers but cannot get commuinction between clients on the internal BYOD network and the two servers with the public NAT. I am having trouble determing the flow of things. Any Suggestions.

Thanks

Mark

Re: Security Policy's and NAT

gwesson — Tue, 12 Feb 2013 20:45:24 GMT

It sounds like you need to configure U-Turn NAT. This does NAT on the firewall but changes some parameters so that it hits the internal server directly rather than sending the traffic out to the Internet first.

Check this document out to see if it describes the issue and solves the problem:

How to Configure U-Turn NAT

Hope this helps!

Greg

Re: Security Policy's and NAT

MRPAM — Mon, 24 Jun 2013 06:28:58 GMT

i have configured a one web server NAT (one-to-one, server in the same zone as the clients) end Security Policies

this configuration enables functions of the web service, but prevents it from connecting to the internet/I mean disconnects the server. Is there a need of an additional configurations in order to solve this problem?

Re: Security Policy's and NAT

Retired Member — Mon, 24 Jun 2013 06:35:32 GMT

your second NAT rule(U turn) has to be seperate 2 rules.

1 for DMZ

1 for LAN

for DMZ you have to use source and destination NAT both

for LAN you only need destination NAT

also there should be a NAT rule downwards from these for internet with any destination address with source NAT

Re: Security Policy's and NAT

MRPAM — Mon, 24 Jun 2013 08:10:03 GMT

Thank you for feedback. But i can't understand please reply example

Re: Security Policy's and NAT

Retired Member — Mon, 24 Jun 2013 08:22:37 GMT

1- Clone inforep2 rule

2- Make rules source zone as DMZ for one, LAN for second rule

3- Source DMZ rule will have both source and destination NAT so do not touch it

4- Source LAN rule will have only destination NAT so clear source Nat

5- Write a third rule if there is not, for internet access Source zone DMZ and LAN destination address any source NAT with WAN interface.

is that clear ?

Re: Security Policy's and NAT

Retired Member — Mon, 24 Jun 2013 08:26:17 GMT

also try to monitor the logs for server look for source Nat and destination address from logs if there is anything missing

filter the logs for server upload a picture so that we can also look for.

Re: Security Policy's and NAT

MRPAM — Mon, 24 Jun 2013 08:46:11 GMT

sorry. its correct or... please check

Re: Security Policy's and NAT

Retired Member — Mon, 24 Jun 2013 08:52:50 GMT

rule2 destination zone make it WAN

also is there other rule for LAN to access internet

there should be from LAN to WAN a NAT rule also

Re: Security Policy's and NAT

MRPAM — Mon, 24 Jun 2013 09:16:50 GMT

there is also LAN rule to access to internet. this rule has in NAT Pol

The Problem is ....

Server is not working internet. (DMZ to internet www.*)

But webservice is working.(WAN from DMZ)

Re: Security Policy's and NAT

Retired Member — Mon, 24 Jun 2013 09:21:33 GMT

add source zone DMZ to your last NAT rule

Re: Security Policy's and NAT

MRPAM — Mon, 24 Jun 2013 11:24:51 GMT

Thank you for your great support.

GOOD LUCK