cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Hi @ccortijo ,

- From your zones I can see that you use the defautl "loopback" interface. I am not sure if this is correct configuration, but general approach when creating loopback is to create new and interface with identificator at the end. Like the picture below

aleksandarastardzhiev_0-1700821708461.png

Same goes for the tunnel  interface.
It is possible the way you have configure it to work as well, but I am not sure

- From your interfaces it looks like your firewall outside interface is private (192.168.1.2) and you haven't configured the subnet. Is this because you have tried to hide your public IP, or there is another device infront of the firewall that is performing NAT and translating public IP to 192.168.1.2?

- If there is another device that is perfoming the NAT before the firewall, your NAT rules doesn't seems correct:

1. The rule at the top natting FW external IP to the DMZ server is appling any service, which will shadow any rule below that so GP rule will never be hit

2. If there is NAT before the firewall, your GP NAT rule will also use 192.168.1.2 as original destination. However it must be put above the DMZ rule.

 

- If there is NAT infront of the FW, your security rule also seems wrong.

1. You need to use 192.168.1.2 as destination and not the public IP, because the device before the FW will do the translation

2. You will need two separate rules for GP and DMZ, because security rules are using post-NAT zones. This means that in the security rule, you need to allow the addresses before that, but use the zones after the NAT. Since GP loopback is in WAN-CYBER your security rule should be source and destination zone = WAN-CYBER. Howerver your DMZ server is in different zone, so you need second security rule allowing again 192.168.1.2 as destination, but this time destination zone should be DMZ Servidor CAU

 

GP portal settings for external gateway is correct, you need to enter the public IP there.

View solution in original post

Who rated this post