cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Hide NAT issues with virtual addresses

Jump to solution

Hi,

In a scenario where I have a lets say /29 routable network and I use one of the addresses for my Internet interface. Behind this address I hide most of my Internal networks, which works just fine. Then I want to hide my guest network behind one of the remaining addresses. Or maybe a SIP server because my ISP want's my SIP traffic on it's own IP address. I want to use hide method so that I can hide more objects behind that address in the future

So, I either make a manual entry like:

Src addrDst addrServiceXlate SrcXlate Dst

Xlate Service

RFC1918-serversome-server-on-the-Internet5060(H)One-of-my-ext-addrOriginalOriginal
RFC1918-Guest_netanyany(H)One-of-my-ext-addrOriginalOriginal

Or I can select hide behind one of my external addresses on the network/host object.


I make sure these NAT rules come before any automatic or other rules that would affect the result and my gateway is not hiding these addresses. I have also made sure the ARP boxes are ticked under global properties NAT section. My Internet interface IP address is defined with the /29 mask. If i type 'route' in the cli the network is in the table.

If I hide these hosts behind the gateway address it all works. 
Where do I look?

I am asking because I recently found this problem at two of my clients and I haven't figured it out yet. The affected environments are R80.20M1 Mgmt + R80.10 GW and full R80.20.

/ Ilmo

Tags (1)
1 Solution

Accepted Solutions
Vladimir
Pearl

Re: Hide NAT issues with virtual addresses

Jump to solution

I believe this is described here:

Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10 

Automatic Proxy ARP works fine with Statically NATed objects out of the box though, if you are using NAT definition in the properties of the objects themselves, not the Manual NAT rules.

0 Kudos
6 Replies
Vladimir
Pearl

Re: Hide NAT issues with virtual addresses

Jump to solution

Ilmo, could you state what is the problem that you are seeing?

Perhaps I am missing something, but I couldn't figure out what it is from your post.

0 Kudos

Re: Hide NAT issues with virtual addresses

Jump to solution

The exempel NAT doesn’t work. I was wondering if there are any obvious issues or pitfalls with this configuration. 

I haven’t had time to investigate more than briefly on the first site and today I encountered it again at another client site. 

The outside NAT address does not show when I run fw ctl arp and tcpdump on the outside interface shows no matching traffic. On the inside I see the traffic. That’s pretty much all I had time to check so far.  

0 Kudos
Vladimir
Pearl

Re: Hide NAT issues with virtual addresses

Jump to solution

I believe this is described here:

Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10 

Automatic Proxy ARP works fine with Statically NATed objects out of the box though, if you are using NAT definition in the properties of the objects themselves, not the Manual NAT rules.

0 Kudos

Re: Hide NAT issues with virtual addresses

Jump to solution

Yes, that looks spot on!

I suggested testing the object hide NAT to see if it would change anything but they said that it wouldn't fly because the NAT rule would be shadowed by the higher up manual entries in the NAT policy. But looks like it would work! I will test it on next occasion and report back. Many thanks!

0 Kudos
Vladimir
Pearl

Re: Hide NAT issues with virtual addresses

Jump to solution

You are welcome.

Please do let us know if this is the right solution.

0 Kudos

Re: Hide NAT issues with virtual addresses

Jump to solution

I asked my client to test the solution and also gave them the possibility to create a manual proxy-arp in the web GUI, if short on time. They added the proxy-arp in the web GUI and it worked. I will try the solution provided in sk114395 at the other client site. But I'm certain the result will be the same.

Again, many thanks!