Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 10342 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NATing and Firewall Rules

drkdragonarcher

I recently switched from UTM to XG and I'm having trouble figuring this out. I understand how to create the DNAT rule. On UTM I had created the the 1:1 NAT and then used regular firewall rules to control who could hit what ports. After adding a DNAT Business Application rule on XG, everything seems to work NAT wise, however, it seems like everything ends up wide open even though I haven't created any Allow rules for it. Is there a way to do a full 1:1 NAT and still control who can get to individual ports or do I have to create individual Business Application/NAT rules for each port/group of ports that I want open? Thanks for any help.



This thread was automatically locked due to age.
  • 0

    Hi,

    you post is not very clear as to incoming or outgoing?

    If incoming why do you want a full nat, why not source services in your firewall rule and MASQ in you NAT part of the rule.

    You can use network rules to control who goes out to what sites?

    Ian

  • 0 in reply to rfcat_vk

    I was referring to incoming, sorry. As for why, I guess it's just habit from working on client firewalls on UTM9/ASA at work and basing it off how I had it originally configured on the UTM. I also didn't realize the MASQ rule would work on incoming as well as outgoing. I had already set an any any MASQ rule for outgoing traffic.

  • 0 in reply to drkdragonarcher

    Hi,

    not sure about MASQ incoming? Not sure why you would need a full NAT for incoming traffic on a UTM, you could have provided better security/management with individual NATs for each access type.

    Ian

  • 0 in reply to rfcat_vk

    Basically all I'm trying to do is take a public IP and map it to a RFC1918 IP and open ports I need for whatever is running on it. I'll try using a MASQ rule and see if it works.

  • 0 in reply to drkdragonarcher

    Hi,

    I ws reading a post on the UTM forum and see that the UTM supports MASQ for incoming traffic. I am not sure about the XG as I have never tried.

    Ian

  • +1

    You are correct in that once you create a Business Application Rule it will directly start working. You don't need to add any other rules for it because it, in and of itself, is a Rule.

     

    drkdragonarcher said:
    or do I have to create individual Business Application/NAT rules for each port/group of ports that I want open? Thanks for any help.

    Yes, you will have to create multiple individual rules to achieve this (allow specific Source IP, Country, Ports etc). I suggest you make use of the 'Custom Firewall Rule Group' feature to better manage and group these rules for a single server.

     

    Also, inbound MASQ NAT also works on XG and is sometimes necessary for certain applications.