This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to set up Full Nat rule for an entire subnet?

I will try to explain this as best as I can with my limited knowledge in networking. This is using XG 210 hardware.

We have setup a connectivity from our Azure VNet to our on premises location with a XG 210. In our Azure VNet we have a subnet (ex. 172.0.0.1/24) and we a need to route traffic coming from any IP within that range to a 10.x IP.

Is this possible? Please let me know if you need more info.

Thanks.

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 7 years ago

Hi,

this is possible but looks very odd.

You have to do 2 Full NAT Rules.

1. 172 to 10 with DNAT and SNAT to a Range.

2. 10 to 172 with DNAT and SNAT to a Range.

This will do a 1:1 NAT. You can basically perform the same with /16 etc.
Cancel
Vote Up 0 Vote Down

Cancel
0 Albert Tejada over 7 years ago in reply to LuCar Toni

Thanks for the reply. Yes I know this is an unusual setup but it's something we need to do.

I'm having trouble getting this done. Is there any documentation that I can follow?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Albert Tejada

You will run into a special construct of NATing because XG will choose a random IP out of the Range you select.

But it should work fine. You want to do 1:1 NAT isn´t it?
Cancel
Vote Up 0 Vote Down

Cancel
0 Albert Tejada over 7 years ago in reply to LuCar Toni

I'm looking to do 1:Many NAT...

Something like this:

DNAT and SNAT 172.18.2.0/24 to 10.1.0.13/32

DNAT and SNAT 10.1.0.13/32 to172.18.2.0/24
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Albert Tejada

Hi,

your second entry does not make sense?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Albert Tejada over 7 years ago in reply to rfcat_vk

Thanks for the reply Ian, I will take a step back and try to explain what we are trying to do.

We need to create a Telnet connection with a device that only accepts traffic and talks to a 10.1.x IP, the is going to be traffic coming from our Azure VNet from any IP in 172.18.3.0/24 range.

How can we make a Full NAT translation from the 172.x IPs to the 10.x IP.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Albert Tejada

Hi Albert,

is the traffic both ways and if not where does it originate? If using telnet you would not need a 1:1 NAT.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Albert Tejada over 7 years ago in reply to rfcat_vk

Correct traffic is both ways.

- 172.x initiates a session with 10.x

- 10.x sends files to 172.x

- 172.x runs clean up on 10.x

During that entire sequence the 10.x device can only talk to another 10.x device which is why we need the NAT translation.

I hope that makes sense.

Thanks again.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Albert Tejada

Yes, to a certain degree. So a 10 device never originates traffic?

In that case you only need a NAT from the 172 to 10 network. The XG firewall will handle the return traffic from the 10 network as part of the valid connections between the two devices.The firewall would not see the return traffic using the 10 to 172 NAT as valid.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 7 years ago in reply to Albert Tejada

Yes, to a certain degree. So a 10 device never originates traffic?

In that case you only need a NAT from the 172 to 10 network. The XG firewall will handle the return traffic from the 10 network as part of the valid connections between the two devices.The firewall would not see the return traffic using the 10 to 172 NAT as valid.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Albert Tejada over 7 years ago in reply to rfcat_vk

Understood. I will give it a try and report back. Thanks again.
Cancel
Vote Up 0 Vote Down

Cancel