forwarding with pbf No Nat

cancel
Showing results for 
Search instead for 
Did you mean: 

forwarding with pbf No Nat

L6 Presenter

Hi,

We wanted to forward the traffic coming on public interface (1.1.1.1) with port 80 to an another ip address on another interface (DMZ - 2.2.2.2)

just to forward, not want to NAT,

we've written a Pbf untrust to 1.1.1.1 with destination port 80 forward eth/DMZ 2.2.2.2

That did not work.Also traffic doesn't match to that pbf.What is missing ?

1 ACCEPTED SOLUTION

Accepted Solutions

Your understanding is correct; pbf should come before NAT and it should supersede traditional routing as well.

If your traffic is coming in on zone/interface WAN3 and destined to the destination IP you have configured, and the firewall is not forwarding the packets to eth1/11, then I'll suggest you open a ticket to have this looked into.

You can verify the ingress and egress interfaces/zones of the packet by running 'show session id #' in CLI as well. It is possible that the ingress of the packet is not matching your configured PBF policy.

Regards,

tasonibare

View solution in original post

6 REPLIES 6

L3 Networker

Could you post the output of 'show running pbf-policy' or a screen shot of your configuration, to verify that the config is correct.

Thanks,

tasonibare

test {

        id 5;

        from WAN3;

        source any;

        destination 8X.10X.10.7X;

        user any;

        application/service  any/tcp/any/23;

        action Forward;

        symmetric-return no;

        forwarding-egress-IF/VSYS ethernet1/11;

        next-hop 10.10.0.48;

        terminal no;

}

L5 Sessionator

Hello,

Based on your policy it looks like you are accessing a private ip (dmz) using oublic ip address.

correct me if I am wrong.

In that situation you need nat.

Regards,

Hari Yadavalli

you can forward a public ip to a private ip.I just wanted to tell pbf is not working.when I hit used rules it comes with colour.session is not matching to pbf.

flow logic, pbf is first.Nat is later.We also have a destination Nat rule.

Your understanding is correct; pbf should come before NAT and it should supersede traditional routing as well.

If your traffic is coming in on zone/interface WAN3 and destined to the destination IP you have configured, and the firewall is not forwarding the packets to eth1/11, then I'll suggest you open a ticket to have this looked into.

You can verify the ingress and egress interfaces/zones of the packet by running 'show session id #' in CLI as well. It is possible that the ingress of the packet is not matching your configured PBF policy.

Regards,

tasonibare

View solution in original post

L4 Transporter

You can also test your pbf rule by using the test command on the CLI:

admin@PA> test pbf-policy-match

+ application        Application name

+ destination        destination IP address

+ destination-port   Destination port

+ from               From zone

+ from-interface     From interface

+ ha-device-id       HA Active-Active device ID

+ protocol           IP protocol value

+ source             source IP address

+ source-user        Source User

  |                  Pipe through a command

  <Enter>            Finish input

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!