Dear all,
I'm currently testing NAT in FOS18. I have created a firewall rule and a DNAT rule to publish an RDP server within the LAN zone to the Internet. Everything works but I have noticed that return traffic from the published server to the original source in the Internet is being NATed by the XG despite no other NAT rule than the DNAT rule being in place.
When having a look at the traffic in diagnostics it is shown that the matching NAT rule for both incoming and outgoing traffic is the DNAT rule only (which however shows no indication that return traffic from the published server becomes NATed automatically).
It was my understanding that we need to create a "Reflexive NAT" rule for this. However, even when using the Server access assistant for DNAT and creating a corresponding Reflexive NAT rule diagnostics shows that for return traffic always the DNAT rule is being used. The Reflexive NAT rule is actually not being used at all.
Is it by design that return traffic from a server published by a DNAT rule is automatically NATed as part of the stateful inspection?
This in turn would mean that Reflexive rules are not needed if
1) The published server never initiates connections to the source by itself (but only answersto traffic initiated by the source)
OR
2) We have a catch all NAT rule in place that translates the source address from the published server to the source anyway
Thanks
Michael
This thread was automatically locked due to age.
