topic Mobile Access with NAT in the firewall in Firewall and Security Management

Mobile Access with NAT in the firewall

Enrique — Wed, 12 Feb 2020 17:17:07 GMT

Hello everyone,

After reading so many post here, I decided to join the community and this is my first post.

I'm configuring a Mobile Access from scratch. The MAP (Mobile Access Portal) is accessible through all interfaces. In the external interface we have private IP address configured, and so the ISP router (let's say 10.0.0.0/24. And .1 is the cluster floating IP, .1 and .2 are the gateway's IPs and .5 is the router). The router just forward all the traffic from a certain public IP address range (let's say 70.0.0.0/29).

I would like the MAP be accessible through one of the public IPs (70.0.0.1 for example). I tried several NAT rules to translate the 70.0.0.1 to the floaing IP address of the cluster (10.0.0.1). Also I tried to use the dynamic Object "LocalMachine".

From the traffic captures that I performed, I see that:

When I access to the floating IP address (https://10.0.0.1/sslvpn), the portal is reachable.
When I access to the public IP address (https://70.0.0.1/sslvpn), I see that the firewall is performing the NAT in the incoming traffic, but it is answering with RST packet to every SYN packet that it receive from this connection.

Any help?

Re: Mobile Access with NAT in the firewall

Norbert_Bohusch — Wed, 12 Feb 2020 18:46:36 GMT

How are clients behind the gateway reaching the internet? Is the router doing a hide-NAT? If yes, best would be to also let it do the inbound NAT!

Re: Mobile Access with NAT in the firewall

Enrique — Wed, 04 Mar 2020 18:51:27 GMT

Hello,
The ISP router is just "routing" the traffic to the firewall. It's the firewalls who are NATing all the traffic.

I found a workaround by configuring the public IP address as loopback in the gateways. This allows the firewall to answer properly to the MAP or other VPNssl connection (VPN capsule or Mobile Client).