Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Hide NAT of the FW external IP in VSX configuration

Hello,

is auto hide NAT possible for the FW IP (external interface of course) in VSX configuration?

Specifically, we have an Edge Firewall (Virtual System) with two interfaces (internal and external). Both interfaces are directly connected to a border router (Cisco 6800).

[Expert@lntfw-pgtw2:4]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.196.0 0.0.0.0 255.255.255.240 U 0 0 0 bond2.997
192.168.196.16 0.0.0.0 255.255.255.240 U 0 0 0 bond2.998
10.100.98.0 0.0.0.0 255.255.255.0 UD 0 0 0 bond2.998
10.100.97.0 0.0.0.0 255.255.255.0 UD 0 0 0 bond2.997
x.x.0.0 10.100.97.1 255.255.0.0 UGD 0 0 0 bond2.997
0.0.0.0 10.100.98.1 0.0.0.0 UGD 0 0 0 bond2.998

Since the external interface has a private IP (10.100.98.101), the VS can't go to the Internet. So, I'd like to add a hide NAT (with one of our public IPs) to the 10.100.98.101 IP address. I already tried these two methods:

- Created an object with IP 10.100.98.101 and set the option "NAT --> Add automatic address translation rules --> Hide behind IP address" (with public IP).

- Created an object with IP 10.100.98.101 (let's call it Priv) and another object with public IP (let's call Pub). Then I added the object Priv in "Original Source" and the object Pub in "Translated Source".

Unfortunately, I didn't have success... both methods didn't work. Tcpdump shows always 10.100.98.101 as source if I try to ping or telnet some destination. So, since I read here this mechanism is feasible, I'm worndering if that is the same in VSX environments...

Thanks,
Francesco

0 Kudos
Reply
13 Replies
Highlighted
Contributor

I would just create a NAT rule that has a group with all the addresses/nets you want to hide-nat as original source. Original destination would be any. Translated source would then be an object with your selected public address with method Hide. Place it at below all you other more specific NAT-rules.

0 Kudos
Reply
Highlighted
Participant

That was exactly the second method I tried. Please see the following images (tried again towards a single Public IP  as destination for a test):

nat_rule.png

tcpdump.png

  • The object FW-Frontiera_10.100.98.101-External is a host containing the private IP 10.100.98.101 of the external interface.
  • The object Public_IP_Test is just a public IP to test the NAT (162.241.216.197)
  • The object FW-Frontiera_NAT-External is a host containing one of our enterprise Public IPs

As you can see, the source IP remains 10.100.98.101...

0 Kudos
Reply
Highlighted
Contributor

What if you tried with the VS-object for Original Source, instead of an object containing just the external ip?

0 Kudos
Reply
Highlighted
Participant

Already tried:

nat_rule.png

but...

error.png

Gateway: lntfw-pVSX1_Frontiera
Policy: Frontiera
Status: Failed
- Invalid Object 'lntfw-pVSX1_Frontiera' in Original Source of Address Translation Rule 1. The valid objects are: host, gateway, network, address range and router.
- Policy verification failed.
--------------------------------------------------------------------------------

0 Kudos
Reply
Highlighted
Contributor

hmm.. never had to do NAT for traffic from the firewall itself, so I have not run into this before. Is this how it is supposed to be in production?

Don't you have a host behind the firewall you can test from?

0 Kudos
Reply
Highlighted
Participant

Yes, a test host works well. Please see the example below (before and after the NAT )

test_host.png

0 Kudos
Reply
Highlighted
Participant

Any other ideas?

Thanks,
Francesco

0 Kudos
Reply
Highlighted
Champion
Champion

What I'm missing here is the version you are running. Your second methos should work just fine, should not matter if it is VSX or not. What you should check though, after installing the policy, is if the NAT is showing a proxy arp for the IP by issueing in the VS context: fw ctl arp
Another small thingy, double check the Install on column, it shows a name there...
Regards, Maarten
0 Kudos
Reply
Highlighted
Advisor

Hi,

Just a dumb question but, is there an ACL for the traffic to be permitted ? I mean the 443 traffic and not the ICMP.

0 Kudos
Reply
Highlighted
Participant

@Maarten_Sjouw: the VSX/Gateway version is 80.20, while the Server Management is running version 80.30.

After the installation, the command outputs "No Proxy ARP entries"

tcpdump.png

The "Install On" is set to the correct VS.

nat.png

@funkylicious: I've just added an explicit rule as you suggested, but that traffic, I think, should be ensured by Implied Rules... anyway, nothing changed; please see the telnet/tcpdump screenshot above.

rule.png

0 Kudos
Reply
Highlighted
Champion
Champion

Just a other question, why do you need the NAT from the VS itself? Normally all updates etc are done from VS0, so if you need anything to be able to go to the internet it would be VS0 not the VS itself.
Regards, Maarten
0 Kudos
Reply
Highlighted
Champion
Champion

Then I would suggest opening a case with TAC
Regards, Maarten
0 Kudos
Reply