XGS 2100 Loopback NAT

Why do you need a loop back in the first place? Still not sure, whats the actual use case? 

We have cloud servers (RDS) that need to be able to connect to servers in the same network using either the public DNS name or the public IP address.  We currently have Sophos SG firewalls here that have no problem accomplishing this task and every other firewall vendor I have ever used has no issue with loopback/hairpinning. I believe at one point I also had this working on an XG firewall. 

Without loopback working these firewalls will not be a fit for our deployment and we will have to stay with the SGs.  

This should be possible, no problem. But you need always to use SNAT. Without SNAT; the loopback packets will go directly, causing issues within the network. 

Your first Screenshot should use MASQ as SNAT. 

As said before we have tried it both ways and it doesn’t work either way.  Either way when I do a packet capture on the destination device I do not see any packets from the source.   And in true hairpinning you should not have to source nat.  

From my understanding, SNAT is required on most products, because otherwise it will break stateful firewalling.

If you come from a client (192.168.1.1) and talk to the WAN IP (1.2.3.4), XG will redirect it to the Server (10.0.0.1).

If you do not use SNAT, the traffic will get to the server with 192.168.1.1. It will send it back to the 192.168.1.1 directly. Therefore the server expect 1.2.3.4 to communicate to him, but in fact the handshake will be send back from 10.0.0.1. Therefore you need a SNAT. 

Again I have tried with and without snat. Neither work. In my scenario the two machine are in the same subnet. 

That is even worse. Without SNAT this will not work. Try a tcpdump on the appliance on the port and check what is going on. I assume the tcp handshake is not correct. 

That has already been done the firewall is not getting return packets and running  wireshark on the destination host there are no packets being sent to it like the firewall is not forwarding the packet. This happens wether the snat is on or off.  Loopback is not working on this model. I know how it works, I understand the concept and I’ve worked with and made it work on multiple different firewall vendors including the Sophos SG and I believe even Sophos XG.  It is not working on the XGS when going to the same LAN it works fine going to a different zone.  

Whats the tcpdump on the firewall? Please show us the tcpdump. I have a loopback on my XGS. There is no different. There has to be a configuration issue. 

Whats the tcpdump on the firewall? Please show us the tcpdump. I have a loopback on my XGS. There is no different. There has to be a configuration issue. 

When I get to the office in a few hours I will do that.  Are there any particular parameters you would like added.?

is your loopback going to the same subnet? Cause I’ve spent hours on this and have not had any luck   

Yes. It uses a NTP Loop back. I am using a NTP loopback. 

Do a tcpdump -ni any port (used service). 

Then open the connection on your client. 

tcpdumps

With SNAT set to Original

XGS2100_RL01_SFOS 18.5.1 MR-1-Build318# tcpdump -ni any port 80[J
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:33:09.313013 Port5, IN: ethertype IPv4, IP 10.10.15.3.60921 > 192.168.112.3.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:09.313041 br0, OUT: ethertype IPv4, IP 10.10.15.3.60921 > 10.10.0.100.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:09.313215 Port5, IN: ethertype IPv4, IP 10.10.15.3.63277 > 192.168.112.3.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:09.313235 br0, OUT: ethertype IPv4, IP 10.10.15.3.63277 > 10.10.0.100.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:09.572133 Port5, IN: ethertype IPv4, IP 10.10.15.3.62888 > 192.168.112.3.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:09.572165 br0, OUT: ethertype IPv4, IP 10.10.15.3.62888 > 10.10.0.100.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:10.320527 Port5, IN: ethertype IPv4, IP 10.10.15.3.60921 > 192.168.112.3.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:10.320571 br0, OUT: ethertype IPv4, IP 10.10.15.3.60921 > 10.10.0.100.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:10.320584 Port5, IN: ethertype IPv4, IP 10.10.15.3.63277 > 192.168.112.3.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:10.320610 br0, OUT: ethertype IPv4, IP 10.10.15.3.63277 > 10.10.0.100.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:10.584039 Port5, IN: ethertype IPv4, IP 10.10.15.3.62888 > 192.168.112.3.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:10.584072 br0, OUT: ethertype IPv4, IP 10.10.15.3.62888 > 10.10.0.100.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:12.324379 Port5, IN: ethertype IPv4, IP 10.10.15.3.63277 > 192.168.112.3.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:12.324381 Port5, IN: ethertype IPv4, IP 10.10.15.3.60921 > 192.168.112.3.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:12.324413 br0, OUT: ethertype IPv4, IP 10.10.15.3.60921 > 10.10.0.100.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:12.324414 br0, OUT: ethertype IPv4, IP 10.10.15.3.63277 > 10.10.0.100.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:12.591515 Port5, IN: ethertype IPv4, IP 10.10.15.3.62888 > 192.168.112.3.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:12.591549 br0, OUT: ethertype IPv4, IP 10.10.15.3.62888 > 10.10.0.100.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:16.331613 Port5, IN: ethertype IPv4, IP 10.10.15.3.60921 > 192.168.112.3.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:16.331613 Port5, IN: ethertype IPv4, IP 10.10.15.3.63277 > 192.168.112.3.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:16.331648 br0, OUT: ethertype IPv4, IP 10.10.15.3.60921 > 10.10.0.100.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:16.331648 br0, OUT: ethertype IPv4, IP 10.10.15.3.63277 > 10.10.0.100.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:16.596957 Port5, IN: ethertype IPv4, IP 10.10.15.3.62888 > 192.168.112.3.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:16.596999 br0, OUT: ethertype IPv4, IP 10.10.15.3.62888 > 10.10.0.100.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:24.332298 Port5, IN: ethertype IPv4, IP 10.10.15.3.60921 > 192.168.112.3.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:24.332299 Port5, IN: ethertype IPv4, IP 10.10.15.3.63277 > 192.168.112.3.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:24.332337 br0, OUT: ethertype IPv4, IP 10.10.15.3.63277 > 10.10.0.100.80: Flags [S], seq 1045385692, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:24.332337 br0, OUT: ethertype IPv4, IP 10.10.15.3.60921 > 10.10.0.100.80: Flags [S], seq 1188266436, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:24.599556 Port5, IN: ethertype IPv4, IP 10.10.15.3.62888 > 192.168.112.3.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:33:24.599639 br0, OUT: ethertype IPv4, IP 10.10.15.3.62888 > 10.10.0.100.80: Flags [S], seq 2708416238, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

With SNAT set to MASQ

XGS2100_RL01_SFOS 18.5.1 MR-1-Build318# XGS2100_RL01_SFOS 18.5.1 MR-1-Build318# tcpdump -ni any port 80[J
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:35:38.443417 Port5, IN: ethertype IPv4, IP 10.10.15.3.55396 > 192.168.112.3.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:38.443482 br0, OUT: ethertype IPv4, IP 10.10.15.3.55396 > 10.10.0.100.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:38.445483 Port5, IN: ethertype IPv4, IP 10.10.15.3.56774 > 192.168.112.3.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:38.445504 br0, OUT: ethertype IPv4, IP 10.10.15.3.56774 > 10.10.0.100.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:38.703662 Port5, IN: ethertype IPv4, IP 10.10.15.3.53985 > 192.168.112.3.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:38.703702 br0, OUT: ethertype IPv4, IP 10.10.15.3.53985 > 10.10.0.100.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:39.453159 Port5, IN: ethertype IPv4, IP 10.10.15.3.55396 > 192.168.112.3.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:39.453205 br0, OUT: ethertype IPv4, IP 10.10.15.3.55396 > 10.10.0.100.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:39.453212 Port5, IN: ethertype IPv4, IP 10.10.15.3.56774 > 192.168.112.3.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:39.453242 br0, OUT: ethertype IPv4, IP 10.10.15.3.56774 > 10.10.0.100.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:39.717361 Port5, IN: ethertype IPv4, IP 10.10.15.3.53985 > 192.168.112.3.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:39.717407 br0, OUT: ethertype IPv4, IP 10.10.15.3.53985 > 10.10.0.100.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:41.453945 Port5, IN: ethertype IPv4, IP 10.10.15.3.56774 > 192.168.112.3.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:41.453987 br0, OUT: ethertype IPv4, IP 10.10.15.3.56774 > 10.10.0.100.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:41.468663 Port5, IN: ethertype IPv4, IP 10.10.15.3.55396 > 192.168.112.3.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:41.468692 br0, OUT: ethertype IPv4, IP 10.10.15.3.55396 > 10.10.0.100.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:41.719996 Port5, IN: ethertype IPv4, IP 10.10.15.3.53985 > 192.168.112.3.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:41.720032 br0, OUT: ethertype IPv4, IP 10.10.15.3.53985 > 10.10.0.100.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:45.454191 Port5, IN: ethertype IPv4, IP 10.10.15.3.56774 > 192.168.112.3.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:45.454233 br0, OUT: ethertype IPv4, IP 10.10.15.3.56774 > 10.10.0.100.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:45.470081 Port5, IN: ethertype IPv4, IP 10.10.15.3.55396 > 192.168.112.3.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:45.470108 br0, OUT: ethertype IPv4, IP 10.10.15.3.55396 > 10.10.0.100.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:45.720277 Port5, IN: ethertype IPv4, IP 10.10.15.3.53985 > 192.168.112.3.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:45.720314 br0, OUT: ethertype IPv4, IP 10.10.15.3.53985 > 10.10.0.100.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:53.461604 Port5, IN: ethertype IPv4, IP 10.10.15.3.56774 > 192.168.112.3.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:53.461646 br0, OUT: ethertype IPv4, IP 10.10.15.3.56774 > 10.10.0.100.80: Flags [S], seq 3730900500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:53.476758 Port5, IN: ethertype IPv4, IP 10.10.15.3.55396 > 192.168.112.3.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:53.476804 br0, OUT: ethertype IPv4, IP 10.10.15.3.55396 > 10.10.0.100.80: Flags [S], seq 3071726818, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:53.729077 Port5, IN: ethertype IPv4, IP 10.10.15.3.53985 > 192.168.112.3.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:35:53.729119 br0, OUT: ethertype IPv4, IP 10.10.15.3.53985 > 10.10.0.100.80: Flags [S], seq 2729626535, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:00.512285 Port5, IN: ethertype IPv4, IP 10.10.15.3.53344 > 192.168.112.3.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:00.512336 br0, OUT: ethertype IPv4, IP 10.10.15.3.53344 > 10.10.0.100.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:00.515229 Port5, IN: ethertype IPv4, IP 10.10.15.3.61257 > 192.168.112.3.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:00.515246 br0, OUT: ethertype IPv4, IP 10.10.15.3.61257 > 10.10.0.100.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:00.771569 Port5, IN: ethertype IPv4, IP 10.10.15.3.61956 > 192.168.112.3.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:00.771613 br0, OUT: ethertype IPv4, IP 10.10.15.3.61956 > 10.10.0.100.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:01.524158 Port5, IN: ethertype IPv4, IP 10.10.15.3.53344 > 192.168.112.3.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:01.524200 br0, OUT: ethertype IPv4, IP 10.10.15.3.53344 > 10.10.0.100.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:01.524204 Port5, IN: ethertype IPv4, IP 10.10.15.3.61257 > 192.168.112.3.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:01.524214 br0, OUT: ethertype IPv4, IP 10.10.15.3.61257 > 10.10.0.100.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:01.775424 Port5, IN: ethertype IPv4, IP 10.10.15.3.61956 > 192.168.112.3.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:01.775466 br0, OUT: ethertype IPv4, IP 10.10.15.3.61956 > 10.10.0.100.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:03.524711 Port5, IN: ethertype IPv4, IP 10.10.15.3.53344 > 192.168.112.3.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:03.524752 br0, OUT: ethertype IPv4, IP 10.10.15.3.53344 > 10.10.0.100.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:03.524756 Port5, IN: ethertype IPv4, IP 10.10.15.3.61257 > 192.168.112.3.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:03.524767 br0, OUT: ethertype IPv4, IP 10.10.15.3.61257 > 10.10.0.100.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:03.790219 Port5, IN: ethertype IPv4, IP 10.10.15.3.61956 > 192.168.112.3.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:03.790272 br0, OUT: ethertype IPv4, IP 10.10.15.3.61956 > 10.10.0.100.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:07.525025 Port5, IN: ethertype IPv4, IP 10.10.15.3.53344 > 192.168.112.3.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:07.525069 br0, OUT: ethertype IPv4, IP 10.10.15.3.53344 > 10.10.0.100.80: Flags [S], seq 3840077669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:07.525073 Port5, IN: ethertype IPv4, IP 10.10.15.3.61257 > 192.168.112.3.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:07.525083 br0, OUT: ethertype IPv4, IP 10.10.15.3.61257 > 10.10.0.100.80: Flags [S], seq 4170908038, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:07.792403 Port5, IN: ethertype IPv4, IP 10.10.15.3.61956 > 192.168.112.3.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:36:07.792449 br0, OUT: ethertype IPv4, IP 10.10.15.3.61956 > 10.10.0.100.80: Flags [S], seq 4294786532, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

There is one thing I am noticing in these. the LAN of the source and the LAN of the Destination is VLAN on br0. Nowhere in the TCP dump am I seeing the VLAN being addressed, not sure if that is normal or not.. Port5 is a member of br0 and the devices are on br0.20

192.168.112.3 is the WAN IP of the device I am trying to get to, 10.10.15.3 is the source and 10.10.0.100 is the LAN IP of the destination.  The Loopback rule usage count is incrementing when I try to connect.

Change from MASQ to a custom host. Change it to a host, you created with the IP of your br0.20 Interface. Check if it will SNAT the packets. 

Wondering as you should see .VLAN Interfaces in the Packet capture as well. 

Try: ip r g 10.10.0.100 --> It should show br0.20 

Check: console> system route_precedence show
Routing Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes

console> system route_precedence show
Routing Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes

I have no Static routes set

XGS2100_RL01_SFOS 18.5.1 MR-1-Build318# ip r g 10.10.0.100
10.10.0.100 dev br0.20 src 10.10.0.1 uid 0
cache

Okay I Think I read it right.

Created an IP host with ip 10.10.0.254 (on VLAN 20) and changed the Loopback NAT to that host. 

TCPDUMP after change is the same.

12:04:47.005444 br0, OUT: ethertype IPv4, IP 10.10.15.3.63811 > 10.10.0.100.80: Flags [S], seq 2935645804, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:47.254490 Port5, IN: ethertype IPv4, IP 10.10.15.3.53244 > 192.168.112.3.80: Flags [S], seq 2327797076, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:47.254526 br0, OUT: ethertype IPv4, IP 10.10.15.3.53244 > 10.10.0.100.80: Flags [S], seq 2327797076, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:51.018048 Port5, IN: ethertype IPv4, IP 10.10.15.3.63811 > 192.168.112.3.80: Flags [S], seq 2935645804, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:51.018084 Port5, IN: ethertype IPv4, IP 10.10.15.3.64210 > 192.168.112.3.80: Flags [S], seq 1148065473, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:51.018113 br0, OUT: ethertype IPv4, IP 10.10.15.3.63811 > 10.10.0.100.80: Flags [S], seq 2935645804, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:51.018114 br0, OUT: ethertype IPv4, IP 10.10.15.3.64210 > 10.10.0.100.80: Flags [S], seq 1148065473, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:51.254768 Port5, IN: ethertype IPv4, IP 10.10.15.3.53244 > 192.168.112.3.80: Flags [S], seq 2327797076, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:51.254812 br0, OUT: ethertype IPv4, IP 10.10.15.3.53244 > 10.10.0.100.80: Flags [S], seq 2327797076, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:59.024272 Port5, IN: ethertype IPv4, IP 10.10.15.3.63811 > 192.168.112.3.80: Flags [S], seq 2935645804, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:59.024274 Port5, IN: ethertype IPv4, IP 10.10.15.3.64210 > 192.168.112.3.80: Flags [S], seq 1148065473, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:59.024319 br0, OUT: ethertype IPv4, IP 10.10.15.3.63811 > 10.10.0.100.80: Flags [S], seq 2935645804, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:59.024319 br0, OUT: ethertype IPv4, IP 10.10.15.3.64210 > 10.10.0.100.80: Flags [S], seq 1148065473, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:59.257082 Port5, IN: ethertype IPv4, IP 10.10.15.3.53244 > 192.168.112.3.80: Flags [S], seq 2327797076, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:04:59.257122 br0, OUT: ethertype IPv4, IP 10.10.15.3.53244 > 10.10.0.100.80: Flags [S], seq 2327797076, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Please show your NAT. 

I also Tried this

You should see a NAT ID. If you use a conntrack, does the NAT Rule reflect the same rule ID? 

conntrack -E | grep orig-dport=80

This should show you the conntrack. 

There should be a entry for NAT: fwid=0 natid=0  It should use the same ID you see in the Webadmin. 

That command is returning nothing. In web admin however the usage count is increasing.

I am also not seeing any entries for the attempt in the Log in WebAdmin

This is a live command, so it needs to stay running while you try to access the service. 

Maybe try: conntrack -E | grep 10.10.15.3