NAT reflection DMZ to LAN

Hi Intern Support 

Yes, you would be able to configure this NAT reflection (Hairpin) rule as per that community thread.

In your situation:

Create business application rule (DNAT/Full NAT/Load Balancing)

• Source Zone: DMZ
• Source Network: Any
• Destination host/network: Public IP
• Services: Define the services used
• Protected Server: LAN IP of server
• Protected Zone: LAN
• Rewrite Source Address (masquerading): Enabled
• Use outbound IP: LAN interface GW IP
• Log Firewall Traffic: Enabled

Please let me know if you had any issues.

I will follow up with our KB team in regards to publishing an article regarding this.

Thanks for the answer!

When i choose "Rewrite Source Address (masquerading): Enabled" i also have to choose "use outbound address" what to choose there?

Do i create and use the address of the fw-interface for this network?   

Since it is a WLAN (a wlan-router involved), is there a problem with the tcp connections (port 443) going back and forth?

XG330 SFOS 17.1.3 MR-3

Yes, you could use the default "Masq" default definition, as this would NAT to the IP of the egress interface (LAN interface). Or you can also create a new IP host object for your LAN interface IP, and specifically use this for your NAT policy.

There shouldn't be any issues as the XG is a stateful firewall and will know where to forward the traffic to.

Regards,

Thanks!

Right now i have one forward rule for access from the internet and one for access from the wlan, both to access the same lan device via https, is there any way i can make this one rule?

do i also need to MASQ the accept rule that allow services on the internet, like dns, https and so on, and what NAT policy?

If yes, does it mean i always have to use masquerading on rules handling traffic to the internet?

Regards

Thanks!

Right now i have one forward rule for access from the internet and one for access from the wlan, both to access the same lan device via https, is there any way i can make this one rule?

do i also need to MASQ the accept rule that allow services on the internet, like dns, https and so on, and what NAT policy?

If yes, does it mean i always have to use masquerading on rules handling traffic to the internet?

Regards

Hi Intern Support 

This will have to be two separate rules, as one rule is meant for outside internet users (no NAT) and one for hairpinning WLAN users (NAT).

For internal wireless/LAN traffic that is destined for the WAN zone (internet), you will need to have masquerading enabled (NAT to your public IP). Private network IP traffic will be dropped by ISP routers.

Regards,

Ok,

Thanks

If i would like to allow certain traffic from LAN to all the other networks including the internet, do i have to create two rules.

1. for the internet that is using MASQ

2. for all the other networks

How do i define the internet?

Destination Zone ? WAN i guess

Destination Network ? #Port2 (but thats just one IP) or do i create a network range like 0.0.0.1 - 255.255.255.254

Sincerly

Hi Intern Support 

Yes you would have to create 2 separate rules for this. As your LAN to WAN firewall rule will need to have masquerading enabled, while your LAN to other local zones (DMZ/LAN) will not.

• Destination Zone: WAN
• Destination Network: ANY (meaning any public IP address)

Please also make sure that your hairpin DNAT rule we originally discussed for LAN traffic accessing your internal server through it's WAN IP, remains at the top of your firewall rule list.

Thanks

Just for understanding, why do i need to keep the  "hairpin DNAT rule" at the top of the list?

Sincerely

To ensure that this rule is processed first, in the event you create any other firewall rules that could interfere.

Ok,

is it working ta add my wireless lan to the WiFi zone or does it affect the network in any way except from the "device access" options (policies)?

Sincerely 

To confirm, I would need to take a look at how your current setup is configured. Enable the support access tunnel on your appliance and PM me with your ID.

Regards,

Hi,

it is not possible right now since the XG is not in service at the moment.

My knowledge is that zones is just for handling policies in a easier way, ports that belong to the same zone share the same policies.

Policies = "admin services", "authentication services, "network services" and "other services" accessed on the XG device.

They do not affect traffic going through the XG, RIGHT? (i just want to make sure i understand ZONES).

Hi,

Yes, that is correct about zones making policy administration easier.

However, I'm unsure of your question relating to not affecting traffic going through the XG?

Policies include firewall rules, which are configured to determine what traffic is allowed to go through the firewall and what type of traffic scanning/proxying occurs.

Hi,

example:

If a rule has source zones "lan" and source network and devices  "any" it means that all ports in that zone is included.

Is that it or is it more to it? can you use zones in any other ways?

sincerely