Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-20-2018 04:36 AM
My firewall is using the following Interfaces/Zones: E1/1(5.5.5.170/29) and E1/1.1(5.5.5.174/29) are in the outside zone. E1/2(192.168.254.252/24) is in the inside zone. E1/8(192.168.1.1) is in DMZ zone. E1/1 and E1/2 are connected to the mainvr virtual router. E1/1.1 and E1/8 are connected to the DMZrouter virtual router. I have a web server located in the DMZ zone (192.168.1.2/24) that I want a One-to-One static NAT to 5.5.5.174/29 to grant outside zone access to and from the web. I’m not having any success. Any help would be great.
(My inside to outside traffic works fine just having problems with DMZ access from outside zone)
Below are my NAT/Security rules:
1) Outbound Nat rule:
Original packet:
Source - DMZ
Source address - 192.168.1.2
Destination - Untrust
Destination Address – Any
Translated packet:
Source translation - Static IP
Translated address - 5.5.5.174
(Bi-directional is not checked)
2) Inbound NAT rule:
Original packet:
Source - Untrust
Source address - Any
Destination - DMZ
Destination Address 5.5.5.174
Translated packet:
Destination translation
Translated address - 192.168.1.2
(Translated port is not entered)
Outbound Security Rule
Source Zone - DMZ
Source Address - 192.168.1.2
Destination zone - Untrust
Destination Address - Any
Inbound Security Rule
Source Zone - Untrust
Source Address - Any
Destination zone-Trust
Destination Address - 5.5.5.174
12-20-2018 05:12 AM
your inbound NAT policy needs to be untrust to untrust, your inbound security policy needs to be untrust to dmz
12-20-2018 05:12 AM
your inbound NAT policy needs to be untrust to untrust, your inbound security policy needs to be untrust to dmz
12-20-2018 09:03 AM
You should also be able to use a single bi-directional rule.
1) Bi-Directional Nat rule:
Original packet:
Source - DMZ
Source address - 192.168.1.2
Destination - Untrust
Destination Address – Any
Translated packet:
Translation Type - Static IP
Translation Address - 5.5.5.174
Bi-Directional [Tick]
12-20-2018 01:16 PM
Thanks. I did make the changes but tried to access my webserver without success...
One issue I see is that I can't ping the 5.5.5.174 address from either the outside or dmz zones. I can ping the dmz default gateway(192.168.1.1) as well as my ISPs default gateway(5.5.5.169) from inside the dmz but can't ping any other outside addresses(5.5.5.174, 5.5.5.170, as well as other outside web addresses) from inside the dmz.
5.5.5.170 is my original outside interface and it has been working. It's running my GlobalProtect and I haven't had any problems with that.
Any thoughts?
01-03-2019 04:49 AM
Thanks for the information. The solution did work but I was still having issues with the web server but figured out that is was a DNS config issue. All is well. Thanks again!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
