topic Re: forwarding with pbf No Nat in General Topics

forwarding with pbf No Nat

Retired Member — Mon, 09 Dec 2013 21:41:52 GMT

Hi,

We wanted to forward the traffic coming on public interface (1.1.1.1) with port 80 to an another ip address on another interface (DMZ - 2.2.2.2)

just to forward, not want to NAT,

we've written a Pbf untrust to 1.1.1.1 with destination port 80 forward eth/DMZ 2.2.2.2

That did not work.Also traffic doesn't match to that pbf.What is missing ?

Re: forwarding with pbf No Nat

tasonibare — Tue, 10 Dec 2013 01:25:30 GMT

Could you post the output of 'show running pbf-policy' or a screen shot of your configuration, to verify that the config is correct.

Thanks,

tasonibare

Re: forwarding with pbf No Nat

Retired Member — Tue, 10 Dec 2013 06:50:51 GMT

test {

id 5;

from WAN3;

source any;

destination 8X.10X.10.7X;

user any;

application/service any/tcp/any/23;

action Forward;

symmetric-return no;

forwarding-egress-IF/VSYS ethernet1/11;

next-hop 10.10.0.48;

terminal no;

}

Re: forwarding with pbf No Nat

hyadavalli — Tue, 10 Dec 2013 12:22:35 GMT

Hello,

Based on your policy it looks like you are accessing a private ip (dmz) using oublic ip address.

correct me if I am wrong.

In that situation you need nat.

Regards,

Hari Yadavalli

Re: forwarding with pbf No Nat

Retired Member — Tue, 10 Dec 2013 12:31:57 GMT

you can forward a public ip to a private ip.I just wanted to tell pbf is not working.when I hit used rules it comes with colour.session is not matching to pbf.

flow logic, pbf is first.Nat is later.We also have a destination Nat rule.

Re: forwarding with pbf No Nat

tasonibare — Tue, 10 Dec 2013 18:27:43 GMT

Your understanding is correct; pbf should come before NAT and it should supersede traditional routing as well.

If your traffic is coming in on zone/interface WAN3 and destined to the destination IP you have configured, and the firewall is not forwarding the packets to eth1/11, then I'll suggest you open a ticket to have this looked into.

You can verify the ingress and egress interfaces/zones of the packet by running 'show session id #' in CLI as well. It is possible that the ingress of the packet is not matching your configured PBF policy.

Regards,

tasonibare

Re: forwarding with pbf No Nat

${userLoginName} — Wed, 11 Dec 2013 08:09:51 GMT

You can also test your pbf rule by using the test command on the CLI:

admin@PA> test pbf-policy-match

+ application Application name

+ destination destination IP address

+ destination-port Destination port

+ from From zone

+ from-interface From interface

+ ha-device-id HA Active-Active device ID

+ protocol IP protocol value

+ source source IP address

+ source-user Source User

| Pipe through a command

<Enter> Finish input