This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source and Destination port in reflexive rule

If we checked reflexive rule in a DNAT rule. What will be source and destination of the reflexive rule.

Lets say , we have a DNAT rule for HTTP and orginal port and translated port are same . So the source port range is 1:65535 and destination port is 80.

So what will be the source port and destination port in reflexive rule?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    The reflexive rule will allow traffic from the server(source) to the source specified(destination) in the DNAT rule. The reflexive rule reverses the matching criteria of the DNAT rule that means the source port for the reflexive rule would be the port range(1:65535) and the destination port would be 80. 

    Check out the following document for more info: NAT rules.

    Thanks,

  • Hi ,

    Thanks for your reply.

    I have a DNAT rule for internal clients(LAN) to communicate with server on a range of UDP ports.

    LAN - 192.168.9.0/24

    Server - 192.168.250.10/24

    service
    ---------
    Source port - 1024:65535
    Destination port- 16384:19384

    Reflexive rule is also checked.

    But i can see in logs that server is communicating with LAN clients with source port 16384:19384, destination port 1024:65535.

    It is confusing.

  • Why do you need a NAT Rule in the first place? 

    DNAT is to forward certain traffic to a particular Network and "Translate" traffic. It looks like you are using NAT internally, which "should" not be needed. 

    __________________________________________________________________________________________________________________

Reply
  • Why do you need a NAT Rule in the first place? 

    DNAT is to forward certain traffic to a particular Network and "Translate" traffic. It looks like you are using NAT internally, which "should" not be needed. 

    __________________________________________________________________________________________________________________

Children
  • It is our requirement. The clients should be contacting the public IP to connect to the server in DMZ.

  • Ok, but why do you need a reflexive rule? 

    The DNAT should be enough to redirect the Requests from Public IP to Server. Simply use "Full NAT (SNAT + DNAT) in one rule. 

    If you are not doing this, the Server will talk directly to the Client back. That could cause unexpected Network traffic. 

    Reflexive rule would be to "turn the table" and allow the Server to establish a connection to the clients, which sounds like something, you do not want to do?

    __________________________________________________________________________________________________________________

  • This is the exact requirement we need, The clients need to contact the server and vice versa with the same UDP ports.

    But the unexpected behaviour we observe is that the server is connecting the client with source port and destination ports interchanged.