VIP(NAT) configuration problem?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VIP(NAT) configuration problem?

Not applicable

Hi, I have a little problem Smiley Wink

Consider that we have a server A with the ip address 10.

And server B with the IP adress 20.

And a real IP address of 100.

İ want to set up a NAT, that if a web service comes to ip 100, it would forward this to 10

And if a mail service comes to ip 100 it would forward it to 20.

And would like to both servers to go out with the ip address of 100.

How can i make this?

İ made rule of

dest 100 with service 80 destination nat static to 10

dest 100 with service 25 destination nat static to 20

source 10 any any sourcenat to static 100

source 20 any any sourcenat to static 100

what am i missing here?

after reading couple of documents i have changed the configuration like,

from zone internet to zone internet dest 100 with service 80 destination nat to 10

from zone internet to zone internet dest 100 with service 25 destination nat to 20

and removed the other two rules but nothing changed.

thanks in advance,

1 accepted solution

Accepted Solutions

this isue was actually related to mac address table on the routing device in front of the firewall

important thing to remember: reset mac table on devices that store mac addresses (router, switch,...) if you replace a firewall

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

have you also set the security policy as

internet - internal - any - 10 - port 80 (or application web-browsing)

internet - internal - any - 20 - port 25 (or application smtp)

(security rules are post-NAT, so the internal ip's are used)

rgds

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

nope i have set the rules like

from internet to internal destination external IP for service(web/smtp) allow.

you mean i should do it like

from internet to internal destination "internal IP" for service (web/smtp) allow.

right?

i will try and let you know.

thanks..

Change the source zone and the destination zone to be "Internet".

You can verify the traffic using :

show session all filter source 1.1.1.1

This will provide a list of session IDs associated with the 1.1.1.1 address and tell you the application.

View the individual session using:

show session id ###

This will show you the details, ingress and egress interfaces, NAT and Security rules processing the packet.

Make sure you have a secusity rule that allows from the outside or internet to the inside of your network for the ports or IP addresses mentioned in your NAT rules.

Steve Krall

Security rules are post-nat, but NAT is not actually implemented until packet egress.  This means that for the inbound, destination-nat packets the external IP's should be used in the policy.  For the outbound initiated traffic the internal IP's should be used in the security policy.

The NAT rules are only for the direction the traffic is initiated.  Traffic initiated from the Internet will be destination-natted and the return traffic in the same session will correctly use the same natted IP as the source IP.   Traffic initiated from the internal network will not hit the first two VNAT rules so you will need an outbound NAT rule.  You can have a single source-nat rule that encompasses both internal IP's for your purposes.

How exactly is it not working?  Are packets not hitting the Security Policy?  Do you see them in the logs but with the incorrect NAT IP's in the details?

Cheers,

Kelly

this isue was actually related to mac address table on the routing device in front of the firewall

important thing to remember: reset mac table on devices that store mac addresses (router, switch,...) if you replace a firewall

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

thanks for your help guys.

  • 1 accepted solution
  • 5703 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!