Manual NAT rule with service translation, not tran...

Sam_Ponder

Hi All,

I'm having some troubles with using manual NAT rules to translate a service. I do have manual arp entries added and the merge arp enabled.

From testing and from some packet captures, I can see that when traffic is destined for ms-mail2 it is natting to the correct IP, however the service isn't being translated from smtp(port 25) to smtp-alt(port 465).

This is my first venture down the manual NAT rules and I feel like I am missing something small.

Basically, wanting to do this. When port 25 traffic comes in on 66.66.66.1 it NATs to 10.10.10.11 and stays port 25, When port 25 traffic comes in on 66.66.66.2 it NATs to 10.10.10.11 and translates to port 465.

Can someone please provide some guidance?

Thanks in advance!

Sam

Edit: to add more description

Lesley

Does the traffic hit the correct NAT rule? How does the traffic log look like?

Maybe fwmonitor capture will give a hint

# fw monitor -e "host(x.x.x.x),accept;" -o outputfile.cap

in order to filter for inbound and outbound traffic related to host x.x.x.x.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Sam_Ponder

Hi Lesley,

The capture shows it translating the address but not translating the service/port.

AkosBakos

I hope, I understood correctly:

My guess are:

ORIGINAL DST: 66.66.66.1
ORIGINAL Services: smtp
translates src: orginal
translated dst: 10.10.10.11

ORIGINAL DST: 66.66.66.2
ORIGINAL Services: smtp
translates src: orginal
translated dst: 10.10.10.11
translated service: 465

Have a try.

Akos

----------------
\m/_(>_<)_\m/

Sam_Ponder

Hi Akos,

Yes, that is what I am using, well that and the reverse for outbound translation.

AkosBakos

Ok. Do you have any hits on the rules?

----------------
\m/_(>_<)_\m/

Sam_Ponder

no hits on the outbound nat rule, inbound nat rule shows a few, but it isnt translating the port/service. The firewall rule has hits on it, though it show nat 0 as the matching nat rule, in smartconsole logs. This is a clustered pair of 5400s.

Edit for clarification.

AkosBakos

Can you share a depersonalized screenshot of the ACL, which allows the inbound and outbound traffic?

Maybe for easier understandig: if you set an automatic NAT for SMTP-> then check the rules that are created (NAT rulebase) -> you will get a impression how should look like the NAT for only SMTP

Then you will be able to copy it and expand the rules with ports etc.

----------------
\m/_(>_<)_\m/

Sam_Ponder

Akos,

Here you go. I want to add. Since initially starting this thread, I have it working on the firewall at our DR location. Initially, I got it working in Vegas by recreating the network objects that were in use and then it started working.

The IndyFW cluster, isn't behaving the same.

Edit: I am leaving on PTO today, returning on Monday

Are you a member of CheckMates?

Manual NAT rule with service translation, not translating service