NAT or Masquerade issue

I've installed a WSUS server on one subnet and I have workstations on another. My UTM is in between the two subnets. A third UTM interface connects to the internet. The workstations are failing to communicate with the WSUS server and the think the problem is some NATting that's going on in the UTM. The workstations show up on the WSUS server, but they all show the external IP of the UTM, rather than the internal IP of the workstations.

I don't have any specific SNAT entries for the workstations.

I do have a SNAT entry from the workstation subnet to IPv4 that uses this exact IP. My understanding is that's only applied to internet bound traffic.

I also have a masquerading rule from Any to the Internet interface. This also uses the same IP.

Any ideas where I've gone wrong?

 

  • Sounds a bit like a proxy issue. Do you have webfiltering enabled and the WSUS and your internal network aren't skipped from it?

  • If Kevin's suggestion didn't fix the issue, do you get any hints from Accessing Internal or DMZ Webserver from Internal Network?

    Cheers - Bob

  • In reply to BAlfson:

    I don't have any specific SNAT entries for the workstations.

    I do have a SNAT entry from the workstation subnet to IPv4 that uses this exact IP. My understanding is that's only applied to internet bound traffic.

    I also have a masquerading rule from Any to the Internet interface. This also uses the same IP.

     

    My understanding with the above:

    1. The masquerading rule will make the workstations appear as your WAN interface to the web. OK

    2. The SNAT rule to any IPV4 will make your workstations appear as that IP to your WSUS server. This looks wrong to me as you do not want that. Don't use NAT for this and create your FW rules for the WSUS ports.

  • In reply to Louis-M:

    Sorry, looks like I typoed my original post. The SNAT rule is from our internal LAN to "Inetrnet IPv4".

  • In reply to SteveHart:

    I also have a masquerading rule from Any to the Internet interface. This also uses the same IP.

    Not sure why you have an SNAT rule when you have a masquerading rule that does this for you?