Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 2 replies
  • Subscribers 40 subscribers
  • Views 50 views
  • Users 0 members are here
Options
Suggested

SDWAN and Loopback NAT

Bart van der Horst

Hi,

I've got the following case on a customer site:

Internal webserver on LAN, needs to be accessed from same or different internal LAN on the external IP, normally I use a loopback NAT rule and this works.

Since a few weeks we had to switch to SD-WAN, VPN, Static, because of a default gateway rule on the BGP they have, we cannot change this back.

Now the loopback does not work anymore. And I cannot figure out why.

On my own XG (Software) I recreated the situation and Loopback does not work anymore, so it's reproduceable.

From logs it seems to be going well for the outgoing NAT rule, but nothing comes in on the in coming rule. External access still works.

Changing the route precedence back to static, vpn, sd-wan makes the loopback work again, but like I said that is not an option for the customer.

This is the log message from the loopback nat rule:

Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="149" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" nat_rule_id="12" nat_rule_name="Loopback_NAT#10_DNAT to S-HB-NAS03_1732722564663" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="1" gw_name_request="Port2_IPv4_GW" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="2" sdwan_route_name_request="[TEMP] S-HB-NAS03" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="LAG01" in_display_interface="LAG01" out_interface="Port2" out_display_interface="Port2" src_mac="A0:36:9F:7F:39:34" dst_mac="7C:5A:1C:50:82:36" src_ip="172.16.24.221" src_country="R1" dst_ip="84.28.225.14" dst_country="NLD" protocol="TCP" src_port="65364" dst_port="5013" packets_sent="5" packets_received="0" bytes_sent="260" bytes_received="0" src_trans_ip="172.16.24.254" src_trans_port="0" dst_trans_ip="172.16.24.113" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1917939033" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

Internal webserver: 172.16.24.113 port 5013

External x.x.x.x :5013

Firewall rule:

NAT rule:

Loopback:

SD-WAN:

The customer site is more complicated with much more SD-WAN rules but i need it to work here first.

Maybe   can have a look?

  • +1

    Just to make sure: Why do you need a Loopback? 
    And the issue might be easy: 
    Your SD-WAN Hits for this traffic. 
    If you look at the SD-WAN Rule, it includes Internetv4 - Which means ALL IPv4 Addresses - Including your WAN IP. 
    So if a client now access the loopback, it will hit the SD-WAN and SFOS will redirect the traffic out the internet WAN. 

    To workaround this, or resolve this, there are two different approaches: 
    You could edit the Internetv4 object and build a new Range (excluding your WAN IP). 
    Or you could build a new SD-WAN Rule, only for Internal to WAN IP, and use a new Gateway, which points to your internal Network. 
    Both should work. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi  ,

    Thanks both solutions work.

    The loopback (not real loopback rule but combined with dnat rule) is used for a (Guests) network that has only public dns and they want to use this network to connect to the local webserver so it has to go through the public ip. They heva multiple IP on the outside so the Guests network uses different ip than the webserver Dnat rule.

    Bart van der Horst

    Sophos XG v18-v21 Certified Architect

Unfiltered HTML