Question about Security Policies and NAT

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Question about Security Policies and NAT

I'm working on developing my rule base prepping for implementation.  I'm noticing that alot of my inbound rules, ie:

Where the destination in an address object with my internal IP.  Now of course I have NAT rules to statically NAT the traffic inbound and outbound.  Outbound (handled by another rule), the log shows the internal IP address as the source IP.  However, for inbound traffic the log shows the destination IP as the NAT address and does not catch on the rule above.  Looking at the details of the log it shows that it is being NAT'd correctly and what not.  Is this normal behavior?  Do I need two objects (even though I know I don't need an object) for each IP, an external object and an internal object?  Should the rule above contain the destination object of the external IP?

Just FYI, this behavior didn't always seem to be the case.  As I went back through my logs I saw where it look as though this rule was catching as it should have been.  Recently I went from one VR to three VRs to handle redundant ISPs.  Could this be the reason we see it logged this way?

TIA,

Daniel

Highlighted
L6 Presenter

yes, the inbound traffic will need to use a security policy with an address object that uses the external (public) IP address.

-Benjamin

Highlighted
L6 Presenter

Inbound connection for security policy should reflect the destination's public ip. Nat rule will dnat it to a private address. Perhaps that's the reason for the logging discrepancy. Also, I would put your inbound NAT above your source nat rule for outbound access. It'd be nice to be able to look at your session table if this issue perists, however.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!