Security Policy's and NAT

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mavant
Not applicable

Security Policy's and NAT

Hi,

I Have configured a BYOD wireless ssid that is being forced to the internet via a port on our 2050. I am trying to get the network to be able to contact our mail server for exchange on mobile devices and also to have access to our content server redirect page. Our internal IP address for the BYOD is in the 172.x.x.x range. I am NATing these ip's to a public 204.x.x.x address.

The two servers I need to have these devices access both have NATed public IP addresses and are located on our internal network. I have tried setting up policies that utilize the source zone as the BYOD zone I created and the source address is the IP range of the BYOD internal network. For the destination I have tried both the internal IP of the servers and the Public NAT ip of the servers but cannot get commuinction between clients on the internal BYOD network and the two servers with the public NAT. I am having trouble determing the flow of things. Any Suggestions.

Thanks

Mark

gwesson
L7 Applicator

It sounds like you need to configure U-Turn NAT. This does NAT on the firewall but changes some parameters so that it hits the internal server directly rather than sending the traffic out to the Internet first.

Check this document out to see if it describes the issue and solves the problem:

How to Configure U-Turn NAT

Hope this helps!

Greg

MRPAM
L1 Bithead

HI

i have configured a one web server NAT (one-to-one, server in the same zone as the clients) end Security Policies

NAT Pol.jpg

Sec Pol.jpg

this configuration enables functions of the web service, but prevents it from connecting to the internet/I mean disconnects the server. Is there a need of an additional configurations in order to solve this problem?

panos
L6 Presenter

your second NAT rule(U turn) has to be seperate 2 rules.

1 for DMZ

1 for LAN

for DMZ you have to use source and destination NAT both

for LAN you only need destination NAT

also there should be a NAT rule downwards from these for internet with any destination address with source NAT

MRPAM
L1 Bithead

Thank you for feedback. But i can't understand please reply example

panos
L6 Presenter

1- Clone inforep2 rule

2- Make rules source zone as DMZ for one, LAN for second rule

3- Source DMZ rule will have both source and destination NAT so do not touch it

4- Source LAN rule will have only destination NAT so clear source Nat

5- Write a third rule if there is not, for internet access Source zone DMZ and LAN destination address any source NAT with WAN interface.

is that clear ?

panos
L6 Presenter

also try to monitor the logs for server look for source Nat and destination address from logs if there is anything missing

filter the logs for server upload a picture so that we can also look for.

MRPAM
L1 Bithead

sorry. its correct or... please check

test.jpg

panos
L6 Presenter

rule2 destination zone make it WAN

also is there other rule for LAN to access internet

there should be from LAN to WAN a NAT rule also

MRPAM
L1 Bithead

there is also LAN rule to access to internet. this rule has in NAT Pol

pol.jpg

The Problem is ....

Server is not working internet. (DMZ to internet  www.*)

But webservice is working.(WAN from DMZ) 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!