cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Static NAT behind transparent firewall problem

Hi community, looking good the new UI. 

First to clear the field, a quick and dirty network diagram:

 

Internet ---- < FortiGate F50 WAN interface >

                                             | |

                        < FortiGate F50 LAN interface > ---- < L2 switch > ---- < R80.20 open server external interface >

                                                                                                                \---- < other routers and devices >

 

The F50 is in transparent mode, is only logging traffic flows and it has only two rules accepting all kinds of traffic:

- src: any, dst: any, service: any incoming from the LAN to the WAN
- src: any, dst: any, service: any incoming from the WAN to the LAN

On the DMZ zone of my R80.20 I have a webserver with a static NAT configured. The issue, in this scenario, I don't have access to this webserver from outside. I see logs of the incoming traffic on the R80.20, but no traffic is seen on the webserver (I checked out with a tcpdump). If I remove the FortiGate, the problem is gone and everything works fine.

Other services connected to the L2 switch works just fine, including a S2S IPSec VPN using a Cisco ASA. The only issue is with the R80.20 when I put the F50 in the middle of it.

Maybe an ARP issue? I don't know where to start to look.

 

Thanks all

0 Kudos
4 Replies

Re: Static NAT behind transparent firewall problem

When the F50 is inline and you are running your tcpdump, include the -e option and check the destination MAC address on the incoming frames.  My guess is that it does not match the firewall's MAC address so while the traffic is being shown by the tcpdump in promiscuous mode, the frame is not actually being sent up to the INSPECT driver for handling because the firewall's Ethernet driver does not believe that packet is actually destined for the firewall.  You can confirm this with fw monitor, which in this case would not show the inbound packet hitting the i inspection point at all. 

If the packet is showing up in fw monitor, next step will be to run fw ctl zdebug drop to determine why the INSPECT driver is dropping it.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Static NAT behind transparent firewall problem

Well, I ran the fw monitor on the gateway and tcpdump on the webserver but when I was going to try accessing the server from outside... It worked!

I'm like this 0.o
0 Kudos

Re: Static NAT behind transparent firewall problem

Does it only work when the tcpdump is running and stops working when the tcpdump is no longer running?

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: Static NAT behind transparent firewall problem

Oh no, no, is working and I didn't change a thing. To summarize:

- Yesterday: put the F50 in between, the webserver stops working. So I remove the F50 as that webserver is business critical.
- Today: put the F50 in between again to do the tcpdump and fw monitor, the webserver keeps working ok.
0 Kudos