Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you create a loopback/hairpin NAT to an Interface IP?

I am trying to publish multiple services to the Internet.  It is working fine using business rules.  But, I want to be able to add a loopback/hairpin NAT so that if someone inside the network uses the public IP to access the service they are redirected to the internal network.  I would also like this bound to an interface IP and not an IP object because it will not always be a static IP.



This thread was automatically locked due to age.
Parents
  • Ok, I made some tests and found definitive answer.

    Yes it is possible. How to do that. Just create a Business Rule for non-HTTP Policy and specify as follows:

    Section: Source

    Host: Any

    Exceptions: none defined

    Section: Hosted Server

    Source Zone: Any

    Hosted Address: #Port2-a.b.c.d

    Section: Protected Application Server(s)

    Protected Zone: LAN (or DMZ)

    Protected Application Server(s): YourServerHost

    Forward all ports: no (off)

    Section: Port Forwarding

    as required

    Section: Routing

    Rewrite source address (Masquerading): Yes (On)

    Use Outbound Address: MASQ (or any NAT policy if you have more than one public IP address)

    Other sections: as required.

    The MOST important is "Hosted Server" section. You MUST select "Any" zone because it defines interface which the traffic will come from (as I understand it). You must also select hosted address from firewall supplied #Port2 (or any other WAN port you use) because this is your public IP.

    If you select Source Zone as WAN you will limit originating connection to come from any interface marked as WAN and automatically disable access to that rule from LAN side.

    I have tested this on IMAP and SSH published to the Internet. When I was connecting from LAN side using external public address, the server reported connection from the XG IP not my LAN workstation IP.

    Regards,
    Slawek

  • Thanks for the info. I was wondering for the Hosted Address: #Port2-a.b.c.d, This this your internal or external NIC?
  • It is public IP and the interface is WAN.

    Regards,
    Slawek

Reply Children