Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 25130 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT Reflection

ShawnLucas

I'm trying to configure NAT reflection in the XG.  Is there a guide somewhere for that feature?  (Essentially, I need to have an outside IP forward back inside the network)  Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    To do this, you would need to create a Business Application Rule with the following details:

    Non HTTP Based Policy

    Host: Create an IP Host with a Network definition of your internal network (i.e. 192.168.1.0/24)

    Source Zone: LAN

    Hosted Address: Create an IP Host definition for the external IP you're wanting to reflect

    Protected Zone: LAN

    Protected Application Servers: Create an IP Host definition which you want to reflect the connections to

    Forward all the ports or create specific port forwarding definitions (take note, you can't do a TCP & UDP forward in one rule, you will 2 rules, one for TCP ports and one for UDP ports if you aren't going to forward all ports).

    Rewrite Source Address: On

    Use Outbound Address: Create a NAT Policy with the Internal IP of the XG. You do this to prevent an asynchronous route, because the sending IP of the device is internal, the internal IP you're reflecting the data to will be dropped by the device because it's not expecting a connection from an internal address, it's expecting it from an external.

    Log Firewall Traffic: On

    That should be what you need to do. If this was the UTM, it would be called a Full NAT rule :)

Reply
  • 0

    To do this, you would need to create a Business Application Rule with the following details:

    Non HTTP Based Policy

    Host: Create an IP Host with a Network definition of your internal network (i.e. 192.168.1.0/24)

    Source Zone: LAN

    Hosted Address: Create an IP Host definition for the external IP you're wanting to reflect

    Protected Zone: LAN

    Protected Application Servers: Create an IP Host definition which you want to reflect the connections to

    Forward all the ports or create specific port forwarding definitions (take note, you can't do a TCP & UDP forward in one rule, you will 2 rules, one for TCP ports and one for UDP ports if you aren't going to forward all ports).

    Rewrite Source Address: On

    Use Outbound Address: Create a NAT Policy with the Internal IP of the XG. You do this to prevent an asynchronous route, because the sending IP of the device is internal, the internal IP you're reflecting the data to will be dropped by the device because it's not expecting a connection from an internal address, it's expecting it from an external.

    Log Firewall Traffic: On

    That should be what you need to do. If this was the UTM, it would be called a Full NAT rule :)

Children
Unfiltered HTML