This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Eric_Boughton
Participant
‎2018-12-21 09:50 AM

Policy Layers with NATed Objects

Jump to solution

Hi, 

I'm looking to simplify our policy and have started to use more inline layers. I was wondering how items with a NAT to them would work when defining the rule. Do I need to define both the NATed network and the DMZ Network as the destination? Or can I just use the DMZ network? I'm thinking I would need to define both. If it helps - the DMZ Items have the NATed address in the object. 

Currently:

1 rule - Source: Any Destination: one or two DMZ address with NAT Service: 80.

2nd Rule -Source: Any Destination: one DMZ address with NAT Service: TCP port.

 

Goal

Top - Source: Any Destination: DMZ (and NATed Network?) Service: Any

Next - Source: External Destination: Specific DMZ Server Service: 80

etc 

 

Thanks!

Labels (1)
Labels
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-12-21 02:35 PM

Jump to solution

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

View solution in original post

0 Kudos
Reply
3 Replies
Timothy_Hall
Champion
Champion
‎2018-12-21 02:09 PM

Jump to solution

Policy is matched prior to NAT, so you should use the pre-NAT object in the policy.  For outbound connections using Hide NAT, the source will be the original inside network.  For inbound connections using static NAT the destination should be the Internet-routable address prior to the NAT operation.  You can put the object representing the post-NAT address(es) in the rule as well if you want but it is not necessary.

Also the NAT "layer" must be kept separate in the Access Control policy and cannot be combined into a single policy layer like the features Firewall, APCL/URLF, & Content Awareness can be if using an R80.10 gateway.  I don't think the NAT policy is a "real" policy layer anyway since you can't use Security Zone objects in it.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-12-21 02:35 PM

Jump to solution

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

View solution in original post

0 Kudos
Reply
Eric_Boughton
Participant
‎2019-02-11 12:14 PM
In response to PhoneBoy

Jump to solution

To close the loop. We did need to have the External IP range (The NATed address) and the DMZ range (the internal IPs) as the destination in the top inline layer rule. The end result: 

Source: Any > Destination: DMZ, External IPs Action: Inline Later

Reply