cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Natting to an IP range not directly connected

Jump to solution

I am trying to do natting by creating object with IP address which is in subnet not connected to firewall-1 and natting it to an IP address that is also not connected. In fw monitor it is only showing pre-in. how can I do so?

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: Natting to an IP range not directly connected

Jump to solution

Not only is neither subnet attached to the FW-1, they are off the same interface.

It's not impossible.

In fact, more than 15 years ago, I had devised a solution a similar problem.

Before you can even discuss the NAT rules on the firewall, there are several other things you will need to do in the environment to ensure 172.20.20.222 even reaches the firewall.

Specifically:

  • FW-2 will need a static route for 172.20.20.222 to point to Router-2 as a next hop.
  • Router2 will need a static route for 172.20.20.222 to point to Router1 as a next hop.
  • Router2 will also need to proxy-ARP for 172.20.20.222 if anything on 172.20.20.0/24 needs to talk to that IP.
  • Router1 will need a static route for 172.20.20.222 to point to FW-1 as a next hop.

Once you've done that, there will need to be a firewall rule permitting connections from the relevant hosts to 172.20.20.222.


In order to ensure that the firewall stays between the connection between the two hosts, you will need to create a manual dual NAT rule.

The NAT rule will look at both the source and destination of the packet and translate both the source and the destination of the packet.

Because the rules are processed in order, the dual NAT rule must come before other rules that might relate to the destination IP. 

Note that since you did not say what IP your firewall is on the 10.2.0.0/24 network, I am going to assume it's 10.2.0.1 in this example.

You also need to specify what IP addresses the connection will come from, as it cannot come from ANY.

Let's assume it's coming from 10.20.1.0/24.

Original
Translated
SourceDestinationServiceSourceDestinationService
10.20.1.0/24172.20.20.222Any10.2.0.1(H)192.168.1.222(S)Orig

This rule will ensure all traffic coming from 10.20.1.0/24 that is destined for 172.20.20.222 will get hidden behind 10.2.0.1 (the internal IP address of the firewall) and have a destination of 192.168.1.222.

The side effect of this is that for each connection to your "internal" SMTP server using the external IP address, you will see the network connection traverse your internal network twice:

  1. Once between the "server" and the FireWall
  2. Once between the firewall and the "client"

Plus you've created a whole bunch of extra routes in your network that you have to maintain.

5 Replies
Admin
Admin

Re: Natting to an IP range not directly connected

Jump to solution

A route elsewhere in the environment to direct the traffic for the source IP is required.

If you're seeing the traffic at all in fw monitor, that most likely means the traffic is being routed to the firewall correctly.

If it's not going past pre-in, that suggests the firewall rulebase is not configured to allow the traffic.

That is also a requirement.

What rule(s) in your rulebase allow traffic to this IP?

Are you configuring the NAT IPs in the object or are you using the NAT rulebase? 

What does your logs say when someone tries to connect to the IP address?

Re: Natting to an IP range not directly connected

Jump to solution

Thanks Daemon for reply. The Scenario is as above. Now on FW-1, I am trying to do natting on FW-1.

I created an host object 172.20.20.222 and doing natting with 192.168.1.222. Is it possible as both this IPs subnets are not attached directly to FW-1 if yes how can I do so.

Thanks.

0 Kudos
Admin
Admin

Re: Natting to an IP range not directly connected

Jump to solution

Not only is neither subnet attached to the FW-1, they are off the same interface.

It's not impossible.

In fact, more than 15 years ago, I had devised a solution a similar problem.

Before you can even discuss the NAT rules on the firewall, there are several other things you will need to do in the environment to ensure 172.20.20.222 even reaches the firewall.

Specifically:

  • FW-2 will need a static route for 172.20.20.222 to point to Router-2 as a next hop.
  • Router2 will need a static route for 172.20.20.222 to point to Router1 as a next hop.
  • Router2 will also need to proxy-ARP for 172.20.20.222 if anything on 172.20.20.0/24 needs to talk to that IP.
  • Router1 will need a static route for 172.20.20.222 to point to FW-1 as a next hop.

Once you've done that, there will need to be a firewall rule permitting connections from the relevant hosts to 172.20.20.222.


In order to ensure that the firewall stays between the connection between the two hosts, you will need to create a manual dual NAT rule.

The NAT rule will look at both the source and destination of the packet and translate both the source and the destination of the packet.

Because the rules are processed in order, the dual NAT rule must come before other rules that might relate to the destination IP. 

Note that since you did not say what IP your firewall is on the 10.2.0.0/24 network, I am going to assume it's 10.2.0.1 in this example.

You also need to specify what IP addresses the connection will come from, as it cannot come from ANY.

Let's assume it's coming from 10.20.1.0/24.

Original
Translated
SourceDestinationServiceSourceDestinationService
10.20.1.0/24172.20.20.222Any10.2.0.1(H)192.168.1.222(S)Orig

This rule will ensure all traffic coming from 10.20.1.0/24 that is destined for 172.20.20.222 will get hidden behind 10.2.0.1 (the internal IP address of the firewall) and have a destination of 192.168.1.222.

The side effect of this is that for each connection to your "internal" SMTP server using the external IP address, you will see the network connection traverse your internal network twice:

  1. Once between the "server" and the FireWall
  2. Once between the firewall and the "client"

Plus you've created a whole bunch of extra routes in your network that you have to maintain.

Re: Natting to an IP range not directly connected

Jump to solution

Thank u very much sir. It worked.

0 Kudos

Re: Natting to an IP range not directly connected

Jump to solution

Hi all,
I commented that I have a similar scenario and in the R77.30 version it operates in an appropriate way; but when placing equipment in R80.20 version this scenario stops operating, you know there is some limitation in that version.

Regards.

0 Kudos