NAT based on source address and destination address and destination port

Leon_Jaimes1 — Thu, 25 Jul 2019 19:44:05 GMT

Hello,

I wanted to run this by the board here, and maybe help others looking for a similar answer.

I have a firewall migration where the existing NAT is set up to translate traffic from different sources destined to the the same public IP (not the interface IP), and different ports.

The use cases are as follows:

Incoming packet from src:3.3.3.3 dst:2.2.2.1 port:4567, translate to src:3.3.3.3 dst:10.2.2.1 port:4567
Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:5678, translate to src:4.4.4.4 dst: 10.4.4.1 port:5678
Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:5678, translate to src:4.4.4.5 dst: 10.4.4.1 port:5678
Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:6789, translate to src:4.4.4.4 dst: 10.4.4.1 port:6789
Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:6789, translate to src:4.4.4.5 dst: 10.4.4.1 port:6789
Incoming packet from src:5.5.5.5 dst:2.2.2.1 port:7890, translate to src:5.5.5.5 dst: 10.5.5.1 port:7890

Lines 2,3,4,5 represent a group of source hosts that connect to multiple destination ports.

Field Abreviations: Orignal Source(OSrc), Original Destination(ODst), Orignal Service(OSrv), Translated Source(TSrc), Translated Destination(TDst), Translated Service(TSrv)

I believe that I need to configure manual rules for each of these as follows, and also configure a proxy arp entry for 2.2.2.1:

OSrc:3.3.3.3 ODst:2.2.2.1 OSrv:4567 TSrc:Original TDst:10.2.2.1 TSrv:Original
OSrc:10.2.2.1 ODst:3.3.3.3 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:5678 TSrc:Original TDst:10.4.4.1 TSrv:Original
OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:6789 TSrc:Original TDst:10.4.4.1 TSrv:Original
OSrc:10.4.4.1 ODst:(4.4.4.4-4.4.4.5) OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
OSrc:5.5.5.5 ODst:2.2.2.1 OSrv:7890 TSrc:Original TDst:10.5.5.1 TSrv:Original
OSrc:10.5.5.1 ODst:5.5.5.5 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original

With lines 3 and 4, since the return traffic will be the same, there is only line 5 that is needed, but this is because I am assuming that the use of Any for the original port for the return traffic is correct.

Does this look correct, or is there a better way to do this without manual NAT?

Thanks,

Leon

Re: NAT based on source address and destination address and destination port

PhoneBoy — Fri, 26 Jul 2019 00:21:00 GMT

Because port factors in, manual rules are what you have to use.
Curious why you're using two rules for these different use cases.
Is it because the traffic could be initiated from either end?

Re: NAT based on source address and destination address and destination port

Leon_Jaimes1 — Fri, 26 Jul 2019 03:36:47 GMT

On the two rules, I might be misunderstanding the Manual NAT. I thought it needed the rule to match the reverse traffic. Or is that incorrect and the return traffic matches the rule that was used by the initiating traffic?

[edit] - The traffic may need to be initiated from either side as well, I will double check on that.

Re: NAT based on source address and destination address and destination port

PhoneBoy — Fri, 26 Jul 2019 17:41:52 GMT

If it could be initiated from either side, then you need NAT rules for both directions.
Otherwise, you only need NAT rules in one direction, which will handle reply traffic.

topic NAT based on source address and destination address and destination port in Firewall and Security Management

NAT based on source address and destination address and destination port

Re: NAT based on source address and destination address and destination port

Re: NAT based on source address and destination address and destination port

Re: NAT based on source address and destination address and destination port