Security Policy's and NAT

Reply
Highlighted
Not applicable

Security Policy's and NAT

Hi,

I Have configured a BYOD wireless ssid that is being forced to the internet via a port on our 2050. I am trying to get the network to be able to contact our mail server for exchange on mobile devices and also to have access to our content server redirect page. Our internal IP address for the BYOD is in the 172.x.x.x range. I am NATing these ip's to a public 204.x.x.x address.

The two servers I need to have these devices access both have NATed public IP addresses and are located on our internal network. I have tried setting up policies that utilize the source zone as the BYOD zone I created and the source address is the IP range of the BYOD internal network. For the destination I have tried both the internal IP of the servers and the Public NAT ip of the servers but cannot get commuinction between clients on the internal BYOD network and the two servers with the public NAT. I am having trouble determing the flow of things. Any Suggestions.

Thanks

Mark

Highlighted
L7 Applicator

Re: Security Policy's and NAT

It sounds like you need to configure U-Turn NAT. This does NAT on the firewall but changes some parameters so that it hits the internal server directly rather than sending the traffic out to the Internet first.

Check this document out to see if it describes the issue and solves the problem:

How to Configure U-Turn NAT

Hope this helps!

Greg

Highlighted
L1 Bithead

Re: Security Policy's and NAT

HI

i have configured a one web server NAT (one-to-one, server in the same zone as the clients) end Security Policies

NAT Pol.jpg

Sec Pol.jpg

this configuration enables functions of the web service, but prevents it from connecting to the internet/I mean disconnects the server. Is there a need of an additional configurations in order to solve this problem?

Highlighted
L6 Presenter

Re: Security Policy's and NAT

your second NAT rule(U turn) has to be seperate 2 rules.

1 for DMZ

1 for LAN

for DMZ you have to use source and destination NAT both

for LAN you only need destination NAT

also there should be a NAT rule downwards from these for internet with any destination address with source NAT

Highlighted
L1 Bithead

Re: Security Policy's and NAT

Thank you for feedback. But i can't understand please reply example

Highlighted
L6 Presenter

Re: Security Policy's and NAT

1- Clone inforep2 rule

2- Make rules source zone as DMZ for one, LAN for second rule

3- Source DMZ rule will have both source and destination NAT so do not touch it

4- Source LAN rule will have only destination NAT so clear source Nat

5- Write a third rule if there is not, for internet access Source zone DMZ and LAN destination address any source NAT with WAN interface.

is that clear ?

Highlighted
L6 Presenter

Re: Security Policy's and NAT

also try to monitor the logs for server look for source Nat and destination address from logs if there is anything missing

filter the logs for server upload a picture so that we can also look for.

Highlighted
L1 Bithead

Re: Security Policy's and NAT

sorry. its correct or... please check

test.jpg

Highlighted
L6 Presenter

Re: Security Policy's and NAT

rule2 destination zone make it WAN

also is there other rule for LAN to access internet

there should be from LAN to WAN a NAT rule also

Highlighted
L1 Bithead

Re: Security Policy's and NAT

there is also LAN rule to access to internet. this rule has in NAT Pol

pol.jpg

The Problem is ....

Server is not working internet. (DMZ to internet  www.*)

But webservice is working.(WAN from DMZ) 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!