cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Policy Layers with NATed Objects

Jump to solution

Hi, 

I'm looking to simplify our policy and have started to use more inline layers. I was wondering how items with a NAT to them would work when defining the rule. Do I need to define both the NATed network and the DMZ Network as the destination? Or can I just use the DMZ network? I'm thinking I would need to define both. If it helps - the DMZ Items have the NATed address in the object. 

Currently:

1 rule - Source: Any Destination: one or two DMZ address with NAT Service: 80.

2nd Rule -Source: Any Destination: one DMZ address with NAT Service: TCP port.

 

Goal

Top - Source: Any Destination: DMZ (and NATed Network?) Service: Any

Next - Source: External Destination: Specific DMZ Server Service: 80

etc 

 

Thanks!

Labels (1)
1 Solution

Accepted Solutions
Admin
Admin

Re: Policy Layers with NATed Objects

Jump to solution

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

0 Kudos
3 Replies

Re: Policy Layers with NATed Objects

Jump to solution

Policy is matched prior to NAT, so you should use the pre-NAT object in the policy.  For outbound connections using Hide NAT, the source will be the original inside network.  For inbound connections using static NAT the destination should be the Internet-routable address prior to the NAT operation.  You can put the object representing the post-NAT address(es) in the rule as well if you want but it is not necessary.

Also the NAT "layer" must be kept separate in the Access Control policy and cannot be combined into a single policy layer like the features Firewall, APCL/URLF, & Content Awareness can be if using an R80.10 gateway.  I don't think the NAT policy is a "real" policy layer anyway since you can't use Security Zone objects in it.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Admin
Admin

Re: Policy Layers with NATed Objects

Jump to solution

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

0 Kudos

Re: Policy Layers with NATed Objects

Jump to solution

To close the loop. We did need to have the External IP range (The NATed address) and the DMZ range (the internal IPs) as the destination in the top inline layer rule. The end result: 

Source: Any > Destination: DMZ, External IPs Action: Inline Later