Hi,
I've got the following case on a customer site:
Internal webserver on LAN, needs to be accessed from same or different internal LAN on the external IP, normally I use a loopback NAT rule and this works.
Since a few weeks we had to switch to SD-WAN, VPN, Static, because of a default gateway rule on the BGP they have, we cannot change this back.
Now the loopback does not work anymore. And I cannot figure out why.
On my own XG (Software) I recreated the situation and Loopback does not work anymore, so it's reproduceable.
From logs it seems to be going well for the outgoing NAT rule, but nothing comes in on the in coming rule. External access still works.
Changing the route precedence back to static, vpn, sd-wan makes the loopback work again, but like I said that is not an option for the customer.
This is the log message from the loopback nat rule:
Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="149" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" nat_rule_id="12" nat_rule_name="Loopback_NAT#10_DNAT to S-HB-NAS03_1732722564663" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="1" gw_name_request="Port2_IPv4_GW" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="2" sdwan_route_name_request="[TEMP] S-HB-NAS03" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="LAG01" in_display_interface="LAG01" out_interface="Port2" out_display_interface="Port2" src_mac="A0:36:9F:7F:39:34" dst_mac="7C:5A:1C:50:82:36" src_ip="172.16.24.221" src_country="R1" dst_ip="84.28.225.14" dst_country="NLD" protocol="TCP" src_port="65364" dst_port="5013" packets_sent="5" packets_received="0" bytes_sent="260" bytes_received="0" src_trans_ip="172.16.24.254" src_trans_port="0" dst_trans_ip="172.16.24.113" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1917939033" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"
Internal webserver: 172.16.24.113 port 5013
External x.x.x.x :5013
Firewall rule:
NAT rule:
Loopback:
SD-WAN:
The customer site is more complicated with much more SD-WAN rules but i need it to work here first.
Maybe LuCar Toni can have a look?
Edited TAGs
[edited by: Erick Jan at 8:47 AM (GMT -8) on 28 Nov 2024]