- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: NAT Issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT Issues
Dear Checkmates, I did static NAT and the required policy to reach a web server in my Network but i still cant reach the webserver.
I ran a zedebug command and the following popped up:
"dropped by fwpslglue_chain Reason: PSL Reject: ASPII_MT"
Please How can i fix this?
- Tags:
- aspii_mt"
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.
Solution:
The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.
Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.
Alternately, this issue should only be possible when using Application Control Whitelist.
See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist
For more informations see SK:
Application Control/URL Filtering drops traffic from internal web server
The following SK is also possible:
Regards,
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.
Solution:
The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.
Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.
Alternately, this issue should only be possible when using Application Control Whitelist.
See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist
For more informations see SK:
Application Control/URL Filtering drops traffic from internal web server
The following SK is also possible:
Regards,
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Heiko,
Will Implement this and give you feedback.
Thanks and Best Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Heiko,
The issue has been resolved.
Thank you so much.