Hi,
I am struggling to get new v18 DNAT working. We are in Azure with two appliances configured but with one shut down to simplify troubleshooting this iss. To confirm the Azure Load Balancer is forwarding the packet correctly using Port Forward configured in the Load Balancer rule and health chaecks are all good. I have obfuscated the 1st two octets as follows;
WAN Public IP source 1.1.33.129
XG PortB:9 Destination: 2.2.40.91
XG LAN Host Destination: 3.3.43.4
What we are seeing is that the access to the XG PortB:9 Destination is being blocked via "Appliance Access" in the logs. So i know that the Device Access Page allows you to selectivity Enable or disable access to Administrative control and also feature such as SSL VPN, Web Proxy and HTTP, Dynamic Routing etc. We have those turned off for security purposes on the WAN and only allow management via Exception ACL containing known source public IP addresses. Bearing in mind we are trying to Translate Services 2224 to 22 on the WAN and there is no facility within the Exception ACL to configure non default ports.
So my question is how does the XG detertmine a packet is not destined for itself on an alias IP address but for a LAN host i.e. DNAT and apply and match the correct FW Rule and NAT Rule and not the Appliance access Rule? Screenshots of the configuration can be seen below;
Pre NAT Firewall Rule
Post FW DNAT Rule
TCPDump to Prove packets are hitting the Firewall
Logs Denying Access due to "Appliance Access"
Any help in this matter would be greatly appreciated.
This thread was automatically locked due to age.
