Server Access Assistant (DNAT)

Hello,

 

I just upgraded from v17 to v18.

 

Now I am going through the task of cleaning up all of the firewall and now the NEW NAT rules.

 

I decided to remove my previous NAT rules and use the Server access assistant (DNAT).

 

When using this it will create your Firewall RULE, And 3 NAT rules.  DNAT, Loopback and Reflexive.

 

After doing this I was going a bit crazy to understand WHY the loopback rule WAS NOT WORKING.

 

After running through a bunch of test scenarios I found that the firewall rule may not have been created correctly.  

 

The firewall rule ONLY was created with WAN as the source.  But in the case of loopback the source is LAN correct?

 

When I added LAN to the Source for the firewall rule everything was then working.

 

Can someone please tell me what I am doing wrong OR that maybe this is a bug in the wizard.

 

Thank You,

 

Peter Geremia

  • Hi  

    Let me try to re create the issue locally to confirm more on same and will get back to you.

  • In reply to Vishal_R:

    Essentially why do you need a Loop Back NAT in the first place? 

    In V18, most stuff is handled by the Default NAT Rule to MASQ to the Internet. If you need a special case for SNAT (MASQ) for the outbound IP, it would be easier to create the NAT yourself and use the attached Firewall Rule to allow this stuff. 

  • In reply to LuCar Toni:

    I run a number of servers that are accessible via the Internet.   This includes security DVR, Mail, Web etc.

     

    When I am on the local network I want to access these via the Internet address not local address.

     

    IE: I need to access the different web sites by full Internet URL.

     

    Without loopback I cannot get to those servers from Inside the network only from Outside.

     

    -Pete

  • In reply to Peter Geremia:

    Hello Peter,

    While creating from Wizard, you would need to manually define the matching criteria. 

     

    1) DNAT rule would have from ANY to ANY criteria which should have WAN as a source to LAN or ANY as the destination.

    2) Make sure NAT MASQ is applied on Loopback/Reflexive rule as there is a possibility of Asymmetric routing.

    3) Check on the packet capture provided under diagnostics using TCPDUMP. If it follows the correct NAT rule id.

      

  • In reply to Aditya Patel:

     I verified that if I do not have LAN as the source zone for the traffic, the loopback traffic (LAN to internal server via WAN IP) drops right to the DROP ALL rule at the end of the policy.

     

    Here is what my FW rule looks like.  I believe this is correct.  I did check NAT IDs against PCAP and it all looks right.

     

    Thank You,

    Pete

  • In reply to Peter Geremia:

    Hello Peter,

    DO check the packet capture tweaking the rules, you may use the filter based on port or host.

    e.g. BPF string. 

    host <ipaddress>

    port <portnumer>

    host <ipaddress> and port <portnumber>

    host <ipaddress> or port <portnumber>