Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eric_Boughton
Participant
Jump to solution

Policy Layers with NATed Objects

Hi, 

I'm looking to simplify our policy and have started to use more inline layers. I was wondering how items with a NAT to them would work when defining the rule. Do I need to define both the NATed network and the DMZ Network as the destination? Or can I just use the DMZ network? I'm thinking I would need to define both. If it helps - the DMZ Items have the NATed address in the object. 

Currently:

1 rule - Source: Any Destination: one or two DMZ address with NAT Service: 80.

2nd Rule -Source: Any Destination: one DMZ address with NAT Service: TCP port.

 

Goal

Top - Source: Any Destination: DMZ (and NATed Network?) Service: Any

Next - Source: External Destination: Specific DMZ Server Service: 80

etc 

 

Thanks!

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

View solution in original post

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

Policy is matched prior to NAT, so you should use the pre-NAT object in the policy.  For outbound connections using Hide NAT, the source will be the original inside network.  For inbound connections using static NAT the destination should be the Internet-routable address prior to the NAT operation.  You can put the object representing the post-NAT address(es) in the rule as well if you want but it is not necessary.

Also the NAT "layer" must be kept separate in the Access Control policy and cannot be combined into a single policy layer like the features Firewall, APCL/URLF, & Content Awareness can be if using an R80.10 gateway.  I don't think the NAT policy is a "real" policy layer anyway since you can't use Security Zone objects in it.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

0 Kudos
Eric_Boughton
Participant

To close the loop. We did need to have the External IP range (The NATed address) and the DMZ range (the internal IPs) as the destination in the top inline layer rule. The end result: 

Source: Any > Destination: DMZ, External IPs Action: Inline Later

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events