We have some internet facing servers who has NAT public address.
1) Externally we can access the public address of the server.
2) Internally on our LAN, we cannot access the public address of the server, it timed out. However the appliance monitor tab shows accept, nothing was denied.
The policy rules i set was
Any to Any - Server_public_address - Web browsing allowed
Anyone knows what could be causing this issue ?
If the clients and the servers are on the same LAN then the response from the server is likely going directly to the client and not back through the firewall. The client is receiving a response packet with the internal address instead of the external one so it rejects the packet as unexpected.
To fix this scenario you can set up a Source-NAT + Destination-NAT rule from the client subnet to the servers so the return traffic is forced back to the firewall and correctly processed for NAT and security before it gets to the client. This concept is known as a U-Turn NAT Rule.
I just posted a somewhat similar issue. Explicitly allowing the traffic (even though the logs were not showing anything was blocked) resolved the problem. My post asked why this behavior is occuring.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!