Question about Security Policies and NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question about Security Policies and NAT

L2 Linker

I'm working on developing my rule base prepping for implementation.  I'm noticing that alot of my inbound rules, ie:

Where the destination in an address object with my internal IP.  Now of course I have NAT rules to statically NAT the traffic inbound and outbound.  Outbound (handled by another rule), the log shows the internal IP address as the source IP.  However, for inbound traffic the log shows the destination IP as the NAT address and does not catch on the rule above.  Looking at the details of the log it shows that it is being NAT'd correctly and what not.  Is this normal behavior?  Do I need two objects (even though I know I don't need an object) for each IP, an external object and an internal object?  Should the rule above contain the destination object of the external IP?

Just FYI, this behavior didn't always seem to be the case.  As I went back through my logs I saw where it look as though this rule was catching as it should have been.  Recently I went from one VR to three VRs to handle redundant ISPs.  Could this be the reason we see it logged this way?

TIA,

Daniel

2 REPLIES 2

L6 Presenter

yes, the inbound traffic will need to use a security policy with an address object that uses the external (public) IP address.

-Benjamin

L6 Presenter

Inbound connection for security policy should reflect the destination's public ip. Nat rule will dnat it to a private address. Perhaps that's the reason for the logging discrepancy. Also, I would put your inbound NAT above your source nat rule for outbound access. It'd be nice to be able to look at your session table if this issue perists, however.

  • 2096 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!