topic Re: NAT rule to change internal IP to another on same subnet? in General Topics

NAT rule to change internal IP to another on same subnet?

OMatlock — Wed, 13 Sep 2017 16:29:27 GMT

Hi folks,

I have created a internal zone IP address I want to use as generic for FTP communications 192.168.1.9.

I want to NAT this IP to our current FTP server 192.168.1.19. This way when our FTP server changes we just change our NAT rule rather than the rest of our partner companies firewalls, routes, etc.

I've created a DNAT rule and able to ping 192.168.1.9 and get a response from 192.168.1.19, but unable to connect via ftp.

I've done this before successfully between network zones (subnets) but not on the same zone (subnet) so far.

Any suggestions?

Re: NAT rule to change internal IP to another on same subnet?

Raido_Rattameister — Wed, 13 Sep 2017 16:37:27 GMT

Hey do I understand correctly that clients and FTP server are both internal in 192.168.1.x subnet?

Can you show your DNAT rule?

Re: NAT rule to change internal IP to another on same subnet?

OMatlock — Wed, 13 Sep 2017 16:49:44 GMT

Thanks. Maybe I should create a source bi-directional rule. But do not want to disturb regular traffic to 192.168.1.19.

FTP-IP1 = 192.168.1.9

Private = 192.168.1.19

Re: NAT rule to change internal IP to another on same subnet?

Raido_Rattameister — Wed, 13 Sep 2017 16:52:29 GMT

You have to add source nat also to the rule.

Traffic must source from firewall internal IP.

Re: NAT rule to change internal IP to another on same subnet?

OMatlock — Wed, 13 Sep 2017 17:19:55 GMT

Thank you. Do you know if that would effect communications with clients that are currently connecting and using IP 192.168.1.19 directly?

Re: NAT rule to change internal IP to another on same subnet?

Raido_Rattameister — Wed, 13 Sep 2017 17:49:37 GMT

This does not affect users connecting directly to .19

Issue is that if client from 192.168.1.x network connects to 192.168.1.9 that is DNATed further to 192.168.1.19 then reply packet is sent directly to original source IP because 192.168.1.19 identifies that source is in it's own subnet and does not need to send this packet to gateway.

Client who received reply packet from 192.168.1.19 will drop it because it does not know anything about 192.168.1.19 as client initiated connection to 192.168.1.9

Re: NAT rule to change internal IP to another on same subnet?

OMatlock — Wed, 20 Sep 2017 07:25:28 GMT

I will come back to this one. Unfortunately other projects, tasks, and priorities are totally interupting what I was doing here, but still need to confirm. I will schedule some time soon to finish this thread.

Re: NAT rule to change internal IP to another on same subnet?

OMatlock — Tue, 03 Oct 2017 16:36:13 GMT

Thanks Raido,

I would like to resolve this thread this week.

I have my DNAT rule in place and I can ping 192.168.1.9 (VIP) and get a response from 192.168.1.19 (FTP server), but ftp does not work when I try ftp://192.168.1.9.

How would I set up the correct SNAT rule for this to work? I just tried this SNAT rule, but not working so far.

Re: NAT rule to change internal IP to another on same subnet?

Raido_Rattameister — Tue, 03 Oct 2017 21:50:57 GMT

Your original DNAT rule was fine.

All you were missing was Source NAT field.

Do not change other fields in your initial rule.

You need to have both Source NAT and Destination NAT configured in this single NAT policy.

Assume that your firewall internal IP is 192.168.1.1

In this case Source NAT is from this 192.168.1.1 IP

From zone - Trust

To zone - Trust

Source address - Any

Destination address - 192.168.1.9

Source translation - Dynamic-ip-port 192.168.1.1 (assuming this is your fw internal IP)

Destination translation - 192.168.1.19

Re: NAT rule to change internal IP to another on same subnet?

OMatlock — Mon, 09 Oct 2017 12:51:53 GMT

Thanks Raido,

That is working for me internally now. Still trying to wrap my head around it. 🙂

However, it does not work externally. I have a security rule that opens everything to my public IP. I have a NAT rule that translates public IP to 192.168.1.9 (and a source Dynamic IP and port to external interface IP). Neither http or ftp work, just times out. (I have a web server and ftp server here)

Curious if you comments about external connectivity?

Thank you for your guidance...

Internet = 96.68.102.140 (one of my public IPs I use for internet access)

Copperfield = 192.168.1.1 (IP of internal LAN Interface)

Re: NAT rule to change internal IP to another on same subnet?

Raido_Rattameister — Thu, 12 Oct 2017 14:37:46 GMT

For it to work from outside you need:

From zone - Untrust

To zone - Untrust

Destination Address - 96.68.102.139

Service - create new tcp-21 with protocol tcp and port 21

Destination translation - 192.168.32.19

NB! Place this new wan rule above WebServer1 rule because otherwise WebServer1 will NAT all ports to 192.168.1.9

Re: NAT rule to change internal IP to another on same subnet?

OMatlock — Mon, 16 Oct 2017 15:20:34 GMT

Wow, thanks Raido!

I starting to get it. I need to spend more time in wireshark to understand it better.

Thank you so much for your responses. Creating this internal "VIP" will help in communicating a long term IP to our IPSec VPN connections that will allow us to change servers and IPs without the need to have our partners update their rules, etc.

Final NAT rules.