03-29-2018 11:21 AM
Hello all,
I am having issues with my NAT config. I have everything from this doc completed but not seeing any traffic hit my outside interface in the logs.
I basically have a Synology NAS im trying to do port forwarding into from the outside.
I have a rule to log all blocked traffic from the external interface but not seeing anything hit the outside (is an easier way to see all blocked traffic without creating a rule for it?)
I did verify the Public IP address as well.
Any ideas?
See screenshots for NAT, Policy configs.
Thanks in advance!
Charles
03-29-2018 11:30 AM
You can override the default deny rule to add logging, select it and hit the "orange and green" splat at the bottom of the screen.
Is your policy set to log at session start or session end? if session end, it will nto log until a session ends (obviously) - you may see open sessions in the session browser.
Assuming that 192.168.1 IP address is in the Internal-L3 zone, your policies look good to me. Did this work previously, or is it a new configuration?
03-29-2018 11:32 AM
Your config looks good, and it tripped me up a bit because my Synology NAS is also on 192.168.1.25.
Make sure that your NAS has a route that takes it through the firewall. It can't just go through on any interface, it has to match the interface that sent the NAT external traffic to your NAS.
You can also try doing source NAT on your inbound NAT rule for the NAS as well. Set the source NAT to be the IP of the firewall's Internal-L3 interface.
03-29-2018 11:52 AM
Thanks for the quick reply folks! I will try these and let you know.
03-29-2018 11:53 AM
This is a new config.
03-29-2018 12:22 PM - edited 03-29-2018 12:23 PM
Question: If I am accepting SSL VPN clients on the same external interface/IP, does that cause issues for port forwarding?
03-29-2018 04:07 PM
> Question: If I am accepting SSL VPN clients on the same external interface/IP, does that cause issues for port forwarding?
Only if it's on the same port. If your SSL VPN is using 443, it won't have any affect on any other ports (like 5001 or 22).
If you're trying to forward 443 though, something will break. The packet comes to the firewall only as a SYN on port 443, so the firewall won't know if it's destined for its own interface for GlobalProtect or if it should forward it to the server. It'll pick one, but I'm not sure which offhand.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
