topic NAT configuration - DMZ zone to Trust zone in General Topics

NAT configuration - DMZ zone to Trust zone

darren_g — Fri, 09 Jun 2017 00:24:09 GMT

I've had a total brain fade, and am unable to figure this out. Hoping you guys can help.

Network topology is relatively simple. Firewall has three zones - outside, inside and DMZ - DMZ has a /25 of "real" Internet addresses on it. Outside has a /30, also of "real" address, and most traffic from inside is translated to the interface address of the outside zone. Inside if RFC1918 IPv4 addressing with multiple static routes to upstream networks.

I need to NAT an IP address which is in our public space in our DMZ zone - call the address 1.1.1.123/32 - to a host which is inside my network - call it 10.10.10.10/32 - on a one-to-one basis - no port translations, nothing. BI-directional NAT - any packet coming in to 1.1.1.123 goes to 10.10.10.10, and any packet going OUT from 10.10.10.10 appears to be from 1.1.1.123 as far as the Internet is concerned.

Thing is, I don't know if I can do this.

I've put in two NAT rules - one translating anything going to 1.1.1.123 to 10.10.10.10, and one translating anything from 10.10.10.10 to 1.1.1.123 - but it's not working.

I don't know if I'm screwing up the security policies related, or if what I'm asking can't be done.

So, questions for guys who have done more NAT than I have

1. Is the NAT policy I want even possible?

2. Is the methodoligy I've described right?

3. What IP address/interface should I be applying security policies (inbound and outbound) on? The translated address? The untranslated address? Both?

Can anyone shed some light for me, please? I'm scratching my head here.

Thanks

Re: NAT configuration - DMZ zone to Trust zone

ansharma — Fri, 09 Jun 2017 00:56:32 GMT

Hey Darren,

Can you please try the below?

Outbound Nat rule

==============

Original packet:

Source - Trust
Source address - 10.10.10.10
Destination - Untrust
Destination Address - Any

Translated packet:

Source translation - Static IP
Translated address - 1.1.1.123

Inbound NAT rule

==============

Original packet:

Source - Untrust
Source address - Any
Destination - DMZ (you got public connectivity to DMZ, right?)
Destination Address - 1.1.1.123

Translated packet:

Destination translation
Translated address - 10.10.10.10

Outbound Security Rule

==================

Source Zone - Trust

Source Address - 10.10.10.10

Destination zone - Untrust

Destination address - Any

... (fill the rest yourself)

Inbound Security Rule

==================

Source Zone - Untrust

Source Address - Any

Destination zone - Trust

Destination Address - 1.1.1.123

... (fill the rest yourself)

For testing purposes, keep your NAT & security rules at the top to avoid any conflicts.

Let me know if that works.

Regards,

Anurag

Re: NAT configuration - DMZ zone to Trust zone

darren_g — Fri, 09 Jun 2017 03:12:49 GMT

Thank you Sir, you are a legend.

I was applying the inbound security rule on the wrong zone, and everything was failing.

Now it's not.

Appreciate your assistance.