Source NAT confusion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Source NAT confusion

Not applicable

I am trying to provide for some 1-to-1 NAT on our PAN, which I thought we be an easy task.  However, my configuration insist on using the interface IP address for outbound connections.  Here is my setup.

Untrusted Network Interface IP: x.x.x.10/29

Trusted Network Interface IP: y.y.y.4/16

Mail Server Public IP: x.x.x.12/32

Mail Server Private IP: y.y.y.50/32

Security_Policy_1

source zone: trusted

source address: y.y.y.50/16

destination zone: untrusted

destination address: any

NAT_Policy_1

Orginal Packet Source Zone: trusted

Original Packet Destination Zone: untrusted

Original Packet Source Address: x.x.x.12/32

Translated Packet: Static IP

Translated Address: y.y.y.50.32

Bi-Directional: yes

Viewed from the mail server, it uses the interface IP to communicate, rather than the desired mail server's IP.  Where am I going wrong here?  Thank you

Michael

5 REPLIES 5

L6 Presenter

Checkout if:

can be of any help (specially example3 DMZ server outbound to Internet)?

If im not mistaken the security rule is applied before SNAT happens which means you should use the real ip of the server and not the SNATed ip (compared to DNAT who happens before security rules are checked which means that security rules must act on the DNATed ip).

L3 Networker

Hi Michael,

To map the Mail Server Private IP: y.y.y.50/32 to the Mail Server Public IP: x.x.x.12/32, you bi-directional NAT configurations should look like this:

NAT_Policy_1

Orginal Packet Source Zone: trusted

Original Packet Destination Zone: untrusted

Original Packet Source Address: y.y.y.50/32

Translated Packet: Static IP

Translated Address: x.x.x.12/32

Bi-Directional: yes

Changes higlighed in BOLD.

Also make sure that your more specific NAT entries (statics, bi-directionals) are at the top of the NAT policies and you more generic outbound NAT policies are at the bottom.

Thanks,

Ahsan

That was very helpful and allowed the server to web-browse using the correct IP address.
That same server is not available from the Internet.  I created an inbound security rule


Mail Server Public IP: x.x.x.12/32

Mail Server Private IP: y.y.y.50/32

Security_Policy_2

source zone: untrusted

source address: any

destination zone: trusted

destination address: x.x.x.12/32

I also tried

Security_Policy_2

source zone: untrusted

source address: any

destination zone: trusted

destination address: y.y.y.50/32

Neither is getting me there. 
Thank you,
Michael

What does your traffic log tell you?

With some expert advise, I was able to complete this task.  Essentially, don't use the bi-directional translation option and use two distinct rules, one for inbound and one for outbound.

  • 2871 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!