04-09-2012 02:54 PM
I am trying to provide for some 1-to-1 NAT on our PAN, which I thought we be an easy task. However, my configuration insist on using the interface IP address for outbound connections. Here is my setup.
Untrusted Network Interface IP: x.x.x.10/29
Trusted Network Interface IP: y.y.y.4/16
Mail Server Public IP: x.x.x.12/32
Mail Server Private IP: y.y.y.50/32
Security_Policy_1
source zone: trusted
source address: y.y.y.50/16
destination zone: untrusted
destination address: any
NAT_Policy_1
Orginal Packet Source Zone: trusted
Original Packet Destination Zone: untrusted
Original Packet Source Address: x.x.x.12/32
Translated Packet: Static IP
Translated Address: y.y.y.50.32
Bi-Directional: yes
Viewed from the mail server, it uses the interface IP to communicate, rather than the desired mail server's IP. Where am I going wrong here? Thank you
Michael
04-09-2012 03:56 PM
Checkout if:
can be of any help (specially example3 DMZ server outbound to Internet)?
If im not mistaken the security rule is applied before SNAT happens which means you should use the real ip of the server and not the SNATed ip (compared to DNAT who happens before security rules are checked which means that security rules must act on the DNATed ip).
04-09-2012 04:32 PM
Hi Michael,
To map the Mail Server Private IP: y.y.y.50/32 to the Mail Server Public IP: x.x.x.12/32, you bi-directional NAT configurations should look like this:
NAT_Policy_1
Orginal Packet Source Zone: trusted
Original Packet Destination Zone: untrusted
Original Packet Source Address: y.y.y.50/32
Translated Packet: Static IP
Translated Address: x.x.x.12/32
Bi-Directional: yes
Changes higlighed in BOLD.
Also make sure that your more specific NAT entries (statics, bi-directionals) are at the top of the NAT policies and you more generic outbound NAT policies are at the bottom.
Thanks,
Ahsan
04-10-2012 05:50 PM
That was very helpful and allowed the server to web-browse using the correct IP address.
That same server is not available from the Internet. I created an inbound security rule
Mail Server Public IP: x.x.x.12/32
Mail Server Private IP: y.y.y.50/32
Security_Policy_2
source zone: untrusted
source address: any
destination zone: trusted
destination address: x.x.x.12/32
I also tried
Security_Policy_2
source zone: untrusted
source address: any
destination zone: trusted
destination address: y.y.y.50/32
Neither is getting me there.
Thank you,
Michael
04-10-2012 11:13 PM
What does your traffic log tell you?
04-12-2012 02:25 PM
With some expert advise, I was able to complete this task. Essentially, don't use the bi-directional translation option and use two distinct rules, one for inbound and one for outbound.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
