cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

NAT Issues

Jump to solution

Dear Checkmates, I did static NAT and the required policy to reach a web server in my Network but i still cant reach the webserver.

I ran a zedebug command and the following popped up:

"dropped by fwpslglue_chain Reason: PSL Reject: ASPII_MT"

Please How can i fix this?

Tags (1)
1 Solution

Accepted Solutions

Re: NAT Issues

Jump to solution

I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.

Solution:

The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.

Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.

Alternately, this issue should only be possible when using Application Control Whitelist.

See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist

For more informations see SK:

Application Control/URL Filtering drops traffic from internal web server 

The following SK is also possible:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings" error in Internet Explorer browser for ... 

Regards,

Heiko

3 Replies

Re: NAT Issues

Jump to solution

I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.

Solution:

The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.

Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.

Alternately, this issue should only be possible when using Application Control Whitelist.

See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist

For more informations see SK:

Application Control/URL Filtering drops traffic from internal web server 

The following SK is also possible:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings" error in Internet Explorer browser for ... 

Regards,

Heiko

Re: NAT Issues

Jump to solution

Hi Heiko,

Will Implement this and give you feedback.

Thanks and Best Regards.

Re: NAT Issues

Jump to solution

Hello Heiko,

The issue has been resolved. 

Thank you so much.

0 Kudos