topic Re: Configuring NAT translation and snmp traffic in Firewall and Security Management

Configuring NAT translation and snmp traffic

Arturxr — Thu, 14 Jul 2022 07:41:02 GMT

After setting up NAT snmp translation, traffic goes only one way, there are no answers from the router, while on the router we see its response.

Re: Configuring NAT translation and snmp traffic

Chris_Atkinson — Thu, 14 Jul 2022 08:06:42 GMT

Do you see the return traffic in a packet capture on the Firewall?

Re: Configuring NAT translation and snmp traffic

Arturxr — Thu, 14 Jul 2022 08:25:02 GMT

how can we check it?

Re: Configuring NAT translation and snmp traffic

Chris_Atkinson — Thu, 14 Jul 2022 09:08:03 GMT

Using one of the following tools from the CLI:

fw monitor (sk30583)
cppcap (sk141412)
tcpdump

Also what service object is used in your rule both to allow the traffic and for the NAT?

Re: Configuring NAT translation and snmp traffic

Arturxr — Thu, 14 Jul 2022 10:22:55 GMT

reverse traffic is not visible.

attached a screenshot of the objects.

Re: Configuring NAT translation and snmp traffic

Chris_Atkinson — Thu, 14 Jul 2022 11:23:40 GMT

Please check the routing is symmetric or that there are no ACLs on the router impacting the traffic.

Both objects are used in the NAT policy?

Re: Configuring NAT translation and snmp traffic

Arturxr — Thu, 14 Jul 2022 14:24:48 GMT

routing is symmetrical, both objects are in NAT, no ACLs

Re: Configuring NAT translation and snmp traffic

Tobias_Moritz — Fri, 15 Jul 2022 13:33:52 GMT

Maybe an ARP issue?

If you use source NAT (not clear from your post if its source or destination NAT), then there are cases where you have to take care of ARP.

This is what I mean:

Simple Topology:

whatever is behind the router <- ROUTER eth2 (10.0.0.1) <- eth1 (10.0.0.254) GATEWAY eth 2 (172.16.0.1) <- Client (172.16.0.20)

Example 1:

You set a source NAT with translating 172.16.0.20 to 10.0.0.254. This will work out of the box.

Example 2:

You set a source NAT with translating 172.16.0.20 to 10.0.0.200. This will only work, if you setup 10.0.0.200 as proxy arp address in GAIA for that interface or activated the automatic proxy arp feature. Or you put a static arp entry in your routers ARP table (not recommended). Or you set a route on your router routing 10.0.0.200/32 to 10.0.0.254 (unusual).

Example 3:

You set a source NAT with translating 172.16.0.20 to 5.5.5.5. This will only work, if you set a route on your router routing 5.5.5.5/32 to 10.0.0.254.

Re: Configuring NAT translation and snmp traffic

Chris_Atkinson — Fri, 15 Jul 2022 14:13:48 GMT

Need to investigate why the traffic doesn't reach the gateway, depending on your NAT configuration it might be proxy-ARP issue or a problem elsewhere.