Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ilmo_Anttonen
Collaborator
Jump to solution

Hide NAT issues with virtual addresses

Hi,

In a scenario where I have a lets say /29 routable network and I use one of the addresses for my Internet interface. Behind this address I hide most of my Internal networks, which works just fine. Then I want to hide my guest network behind one of the remaining addresses. Or maybe a SIP server because my ISP want's my SIP traffic on it's own IP address. I want to use hide method so that I can hide more objects behind that address in the future

So, I either make a manual entry like:

Src addrDst addrServiceXlate SrcXlate Dst

Xlate Service

RFC1918-serversome-server-on-the-Internet5060(H)One-of-my-ext-addrOriginalOriginal
RFC1918-Guest_netanyany(H)One-of-my-ext-addrOriginalOriginal

Or I can select hide behind one of my external addresses on the network/host object.


I make sure these NAT rules come before any automatic or other rules that would affect the result and my gateway is not hiding these addresses. I have also made sure the ARP boxes are ticked under global properties NAT section. My Internet interface IP address is defined with the /29 mask. If i type 'route' in the cli the network is in the table.

If I hide these hosts behind the gateway address it all works. 
Where do I look?

I am asking because I recently found this problem at two of my clients and I haven't figured it out yet. The affected environments are R80.20M1 Mgmt + R80.10 GW and full R80.20.

/ Ilmo

1 Solution

Accepted Solutions
Vladimir
Champion
Champion

I believe this is described here:

Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10 

Automatic Proxy ARP works fine with Statically NATed objects out of the box though, if you are using NAT definition in the properties of the objects themselves, not the Manual NAT rules.

View solution in original post

0 Kudos
6 Replies
Vladimir
Champion
Champion

Ilmo, could you state what is the problem that you are seeing?

Perhaps I am missing something, but I couldn't figure out what it is from your post.

0 Kudos
Ilmo_Anttonen
Collaborator

The exempel NAT doesn’t work. I was wondering if there are any obvious issues or pitfalls with this configuration. 

I haven’t had time to investigate more than briefly on the first site and today I encountered it again at another client site. 

The outside NAT address does not show when I run fw ctl arp and tcpdump on the outside interface shows no matching traffic. On the inside I see the traffic. That’s pretty much all I had time to check so far.  

0 Kudos
Vladimir
Champion
Champion

I believe this is described here:

Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10 

Automatic Proxy ARP works fine with Statically NATed objects out of the box though, if you are using NAT definition in the properties of the objects themselves, not the Manual NAT rules.

0 Kudos
Ilmo_Anttonen
Collaborator

Yes, that looks spot on!

I suggested testing the object hide NAT to see if it would change anything but they said that it wouldn't fly because the NAT rule would be shadowed by the higher up manual entries in the NAT policy. But looks like it would work! I will test it on next occasion and report back. Many thanks!

0 Kudos
Vladimir
Champion
Champion

You are welcome.

Please do let us know if this is the right solution.

0 Kudos
Ilmo_Anttonen
Collaborator

I asked my client to test the solution and also gave them the possibility to create a manual proxy-arp in the web GUI, if short on time. They added the proxy-arp in the web GUI and it worked. I will try the solution provided in sk114395 at the other client site. But I'm certain the result will be the same.

Again, many thanks!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events