06-08-2017 05:24 PM
I've had a total brain fade, and am unable to figure this out. Hoping you guys can help.
Network topology is relatively simple. Firewall has three zones - outside, inside and DMZ - DMZ has a /25 of "real" Internet addresses on it. Outside has a /30, also of "real" address, and most traffic from inside is translated to the interface address of the outside zone. Inside if RFC1918 IPv4 addressing with multiple static routes to upstream networks.
I need to NAT an IP address which is in our public space in our DMZ zone - call the address 1.1.1.123/32 - to a host which is inside my network - call it 10.10.10.10/32 - on a one-to-one basis - no port translations, nothing. BI-directional NAT - any packet coming in to 1.1.1.123 goes to 10.10.10.10, and any packet going OUT from 10.10.10.10 appears to be from 1.1.1.123 as far as the Internet is concerned.
Thing is, I don't know if I can do this.
I've put in two NAT rules - one translating anything going to 1.1.1.123 to 10.10.10.10, and one translating anything from 10.10.10.10 to 1.1.1.123 - but it's not working.
I don't know if I'm screwing up the security policies related, or if what I'm asking can't be done.
So, questions for guys who have done more NAT than I have
1. Is the NAT policy I want even possible?
2. Is the methodoligy I've described right?
3. What IP address/interface should I be applying security policies (inbound and outbound) on? The translated address? The untranslated address? Both?
Can anyone shed some light for me, please? I'm scratching my head here.
Thanks
06-08-2017 05:56 PM
Hey Darren,
Can you please try the below?
Outbound Nat rule
==============
Original packet:
Translated packet:
Inbound NAT rule
==============
Original packet:
Translated packet:
Outbound Security Rule
==================
Source Zone - Trust
Source Address - 10.10.10.10
Destination zone - Untrust
Destination address - Any
... (fill the rest yourself)
Inbound Security Rule
==================
Source Zone - Untrust
Source Address - Any
Destination zone - Trust
Destination Address - 1.1.1.123
... (fill the rest yourself)
For testing purposes, keep your NAT & security rules at the top to avoid any conflicts.
Let me know if that works.
Regards,
Anurag
06-08-2017 05:56 PM
Hey Darren,
Can you please try the below?
Outbound Nat rule
==============
Original packet:
Translated packet:
Inbound NAT rule
==============
Original packet:
Translated packet:
Outbound Security Rule
==================
Source Zone - Trust
Source Address - 10.10.10.10
Destination zone - Untrust
Destination address - Any
... (fill the rest yourself)
Inbound Security Rule
==================
Source Zone - Untrust
Source Address - Any
Destination zone - Trust
Destination Address - 1.1.1.123
... (fill the rest yourself)
For testing purposes, keep your NAT & security rules at the top to avoid any conflicts.
Let me know if that works.
Regards,
Anurag
06-08-2017 08:12 PM
Thank you Sir, you are a legend.
I was applying the inbound security rule on the wrong zone, and everything was failing.
Now it's not.
Appreciate your assistance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
