topic Re: Manual NAT rule with service translation, not translating service in Firewall and Security Management

Manual NAT rule with service translation, not translating service

Sam_Ponder — Thu, 20 Mar 2025 14:08:02 GMT

Hi All,

I'm having some troubles with using manual NAT rules to translate a service. I do have manual arp entries added and the merge arp enabled.

From testing and from some packet captures, I can see that when traffic is destined for ms-mail2 it is natting to the correct IP, however the service isn't being translated from smtp(port 25) to smtp-alt(port 465).

This is my first venture down the manual NAT rules and I feel like I am missing something small.

Basically, wanting to do this. When port 25 traffic comes in on 66.66.66.1 it NATs to 10.10.10.11 and stays port 25, When port 25 traffic comes in on 66.66.66.2 it NATs to 10.10.10.11 and translates to port 465.

Can someone please provide some guidance?

Thanks in advance!

Sam

Edit: to add more description

Re: Manual NAT rule with service translation, not translating service

Lesley — Tue, 25 Mar 2025 20:21:24 GMT

Does the traffic hit the correct NAT rule? How does the traffic log look like?

Maybe fwmonitor capture will give a hint

# fw monitor -e "host(x.x.x.x),accept;" -o outputfile.cap

in order to filter for inbound and outbound traffic related to host x.x.x.x.

Re: Manual NAT rule with service translation, not translating service

AkosBakos — Wed, 26 Mar 2025 12:02:20 GMT

I hope, I understood correctly:

My guess are:

ORIGINAL DST: 66.66.66.1
ORIGINAL Services: smtp
translates src: orginal
translated dst: 10.10.10.11

ORIGINAL DST: 66.66.66.2
ORIGINAL Services: smtp
translates src: orginal
translated dst: 10.10.10.11
translated service: 465

Have a try.

Akos

Re: Manual NAT rule with service translation, not translating service

Sam_Ponder — Wed, 26 Mar 2025 14:53:53 GMT

Hi Akos,

Yes, that is what I am using, well that and the reverse for outbound translation.

Re: Manual NAT rule with service translation, not translating service

AkosBakos — Wed, 26 Mar 2025 15:44:18 GMT

Ok. Do you have any hits on the rules?

Re: Manual NAT rule with service translation, not translating service

Sam_Ponder — Wed, 26 Mar 2025 15:50:48 GMT

Hi Lesley,

The capture shows it translating the address but not translating the service/port.

Re: Manual NAT rule with service translation, not translating service

Sam_Ponder — Wed, 26 Mar 2025 15:54:27 GMT

no hits on the outbound nat rule, inbound nat rule shows a few, but it isnt translating the port/service. The firewall rule has hits on it, though it show nat 0 as the matching nat rule, in smartconsole logs. This is a clustered pair of 5400s.

Edit for clarification.

Re: Manual NAT rule with service translation, not translating service

AkosBakos — Wed, 26 Mar 2025 16:07:17 GMT

Can you share a depersonalized screenshot of the ACL, which allows the inbound and outbound traffic?

Maybe for easier understandig: if you set an automatic NAT for SMTP-> then check the rules that are created (NAT rulebase) -> you will get a impression how should look like the NAT for only SMTP

Then you will be able to copy it and expand the rules with ports etc.

Re: Manual NAT rule with service translation, not translating service

Sam_Ponder — Wed, 26 Mar 2025 19:08:57 GMT

Akos,

Here you go. I want to add. Since initially starting this thread, I have it working on the firewall at our DR location. Initially, I got it working in Vegas by recreating the network objects that were in use and then it started working.

The IndyFW cluster, isn't behaving the same.

Edit: I am leaving on PTO today, returning on Monday