NAT rule to change internal IP to another on same subnet?

cancel
Showing results for 
Search instead for 
Did you mean: 

NAT rule to change internal IP to another on same subnet?

L4 Transporter

Hi folks,

 

I have created a internal zone IP address I want to use as generic for FTP communications 192.168.1.9.

I want to NAT this IP to our current FTP server 192.168.1.19.  This way when our FTP server changes we just change our NAT rule rather than the rest of our partner companies firewalls, routes, etc.

 

I've created a DNAT rule and able to ping 192.168.1.9 and get a response from 192.168.1.19, but unable to connect via ftp.

 

I've done this before successfully between network zones (subnets) but not on the same zone (subnet) so far.

 

Any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions

For it to work from outside you need:

From zone - Untrust

To zone - Untrust

Destination Address - 96.68.102.139

Service - create new tcp-21 with protocol tcp and port 21

Destination translation - 192.168.32.19

 

NB! Place this new wan rule above WebServer1 rule because otherwise WebServer1 will NAT all ports to 192.168.1.9

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post

11 REPLIES 11

L7 Applicator

Hey do I understand correctly that clients and FTP server are both internal in 192.168.1.x subnet?

 

Can you show your DNAT rule?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

Thanks.  Maybe I should create a source bi-directional rule.  But do not want to disturb regular traffic to 192.168.1.19.

 

FTP-IP1 = 192.168.1.9

Private = 192.168.1.19

 

FTP_NAT.jpg

You have to add source nat also to the rule.

Traffic must source from firewall internal IP.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

Thank you.  Do you know if that would effect communications with clients that are currently connecting and using IP 192.168.1.19 directly?

This does not affect users connecting directly to .19

Issue is that if client from 192.168.1.x network connects to 192.168.1.9 that is DNATed further to 192.168.1.19 then reply packet is sent directly to original source IP because 192.168.1.19 identifies that source is in it's own subnet and does not need to send this packet to gateway.

Client who received reply packet from 192.168.1.19 will drop it because it does not know anything about 192.168.1.19 as client initiated connection to 192.168.1.9

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

I will come back to this one.  Unfortunately other projects, tasks, and priorities are totally interupting what I was doing here, but still need to confirm.  I will schedule some time soon to finish this thread.

Thanks Raido,

I would like to resolve this thread this week.

I have my DNAT rule in place and I can ping 192.168.1.9 (VIP) and get a response from 192.168.1.19 (FTP server), but ftp does not work when I try ftp://192.168.1.9.

 

How would I set up the correct SNAT rule for this to work?  I just tried this SNAT rule, but not working so far.

 

SNAT.jpg

Your original DNAT rule was fine.

All you were missing was Source NAT field.

Do not change other fields in your initial rule.

You need to have both Source NAT and Destination NAT configured in this single NAT policy.

 

Assume that your firewall internal IP is 192.168.1.1

In this case Source NAT is from this 192.168.1.1 IP

 

 

From zone - Trust

To zone - Trust

Source address - Any

Destination address - 192.168.1.9

Source translation - Dynamic-ip-port 192.168.1.1 (assuming this is your fw internal IP)

Destination translation - 192.168.1.19

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

Thanks Raido,

 

That is working for me internally now.  Still trying to wrap my head around it.  🙂

 

However, it does not work externally.  I have a security rule that opens everything to my public IP.  I have a NAT rule that translates public IP to 192.168.1.9 (and a source Dynamic IP and port to external interface IP).  Neither http or ftp work, just times out.  (I have a web server and ftp server here)

 

Curious if you comments about external connectivity?

Thank you for your guidance...

 

securities.jpg

Internet = 96.68.102.140 (one of my public IPs I use for internet access)

Copperfield = 192.168.1.1 (IP of internal LAN Interface)

NATs.jpg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!