Is it me or the NAT creation page design is just broken?

I think you are being a bit harsh with the broken bit because the NAT function does work, but the rest of your post is a good summation.

You have picked on another area where the relationships have not been thought through.

The XG is getting better and I would hope by this time next year to see many more improvements and be up to V19 or 20?

As my subject intends, I'm talking about the page design, not how the NAT works.

But, are you able to create a NAT for ICMP? Or re-use the service definitions and not to type every time the port ranges/list?

Thanks

Try using a firewall rule.

Hopefully you can see this.

I have not tried this, but you would create a nat policy of the internal address range you want to expose to the outside world. You would then move the rule to the top of your rule list. Then tick the re-write box.

Does this make any sense. You have to remember the thinking for the XG and similar devices is totally different to the UTM. Takes a bit of getting used to.

I am sorry, but I really don't understand what are you showing me.

You are highlighting just the "where the rule will match" (src zone, src subnet/ip, schedule, dts zone, dst subnet/ip, dst service) of a firewall rule.

Where and how do you propose I should use it to make an inbound NAT ??

Thanks

You create the rule for the ICMP. You create a NAT policy for the IP address range you want to expose. You use the NAT policy you created in place of the MASQ policy and tick rewrite and there you have a NAT rule that you wanted.

The MASQ policy is just for rewriting the source address, I really don't understand how to make it rewrite the destination.

So you propose something like this to match the incoming connection from any wan to one of my wan IP

And then how do I rewrite WANs.5:0 to my internal IP?

Thanks

Source and destination need to any. Destination network needs to be any. You tick the box to match known users and add your WANs.5:0 what ever that is?

You create a NAT policy with internal IP addresses you want. Then you tick the re-write source address being the external network. In fact with thic config you might not need to create your own NAT policy.

I have to give up, I can't follow your instructions.

"Source and destination need to any" do you mean SRC and DST zones only? If that's the case why can't I restrict with the proper zones?

"Destination network needs to be any" how this will match my public IP? with SRC and DST zones to any and DST network to any it will math everything apart the filter by the service definition.

"You tick the box to match known users" why do you want to match a known user? This traffic is coming from the WAN, I have no idea who it might.

WANs.5:0 is the fancy name XG decided to assign to my secondary IP on one of my WAN interfaces

"You create a NAT policy with internal IP addresses you want" do you mean like this?

"Then you tick the re-write source address being the external network" I'm sorry, I've lost you. Where do I set this external network here?

Thank you again

The source is the external any as per your rule. I wasn't sure what the 5:0 was, you are correct you would not add that to matched addresses. that would be your outbound (the XG developers haven't quite grasped the fact that there is incoming traffic) address.

You can try with your specific zone, but experience so far is that don't always work the way you expect them to. There are a number of feature requests/bugs about about the workings of some local user created identities. One notable failure is country blocking, it only works on all.

I will try again during the v17 beta to see what happens.

HI MassimoForni ,

The behaviour is derived from Cyberoam , the Ports you could DNAT is either TCP and UDP . As ICMP does not include either of these two protocols. You may need to consider Everything  to allow ICMP to be forwarded.

Also the ICMP packet is used for Ping Purpose and check Connectivity. You may Forward the Necessary ports required you need to communicate with the Server etc. and Enable Ping on Appliance Access so the XG would reply instead of your server.  If you wish to use Ping to check the server connectivity directly you may use the tcp protocol to test your connection via Telnet

For Windows NT/2000/XP:

1. Click Start, and then click Run.
2. Type telnet and click OK.
   For example: telnet pca.mydomain.com 5631

For Windows 9x/Me:

1. Click Start, and then click Run.
2. Type telnet and click OK.
3. Click Connect, then click Remote System.
4. Enter the hostname/IP and port number in the appropriate fields.
5. Click Connect

• If you see a blank screen with a flashing cursor, which may or may not populate with data over a period of time, you are attached to a TCP port.
• If you see "Connection timed out", "Connection reset by host", "Could not open connection", or "Connection failed", either there is some sort of packet filtering between the two computers or the service is not currently waiting on the specified port.
• If you want to test a TCP service on your local computer, use the IP address 127.0.0.1. This is the reserved "local host" address.

To enable Telnet on Windows Vista and Windows 7 computers, do the following:

1. Open control panel.
2. Then go into programs.
3. Then in programs and features there should be a part that says ‘turn windows features on or off ‘ .
4. Click ‘turn windows features on or off ‘ then on the list that appears simply check the box beside: Telnet Client.
5. Then click ok.

You may also use to refer the link as below

https://technet.microsoft.com/itpro/powershell/windows/tcpip/test-netconnection

ICMP was only an example, but what about GRE?

Indeed, you can't forward GRE protocol.  And that really is something I'd miss to, I'm using it at home for some GRE-IPSEC tunnels

Do a feature request.

Indeed, you can't forward GRE protocol.  And that really is something I'd miss to, I'm using it at home for some GRE-IPSEC tunnels

Do a feature request.