This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

avoid snat rule for internal to DMZ traffic

I have an https SNAT rule that allows my internal traffic to all out the external and SNAT's it to the external. The problem is when my internal traffic tries to https to the DMZ, the SNAT rule applies, and the DMZ hosts see traffic coming from the external IP. How can I set up a rule to allow internal hosts to get to the dmz and avoid the https SNAT rule? Much appreciated if someone has a tip. Thanks!

Brian

This thread was automatically locked due to age.

0 dilandau over 13 years ago

Hi,

In your snat rule are you currently using "ANY" or the Internet object?

If using "ANY" try switching it to "Internet" and then I believe it won't change the source when the traffic goes to the DMZ.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

Brian, is there a reason you're using a SNAT instead of a Masquerading rule?

Cheers - Bob
PS Great insight, dilandau! I didn't understand the issue until you gave the answer.
Cancel
Vote Up 0 Vote Down

Cancel
0 BSavage over 13 years ago

I didn't know about the internet object, I will try that thank you dilandau.

Bob, This rule was put in before I took over, and it's a poor excuse, but I never changed it. All my other sites I've reconfigured and use the masq and packet filter rules. Thanks guys
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 13 years ago in reply to BAlfson

Brian, is there a reason you're using a SNAT instead of a Masquerading rule?

IME, Masq can only use the primary EXT IP, so if you want to use a secondary/additional IP, you'd need to use SNAT.

Not sure if that still holds true in the latest versions though.

Barry
Cancel
Vote Up 0 Vote Down

Cancel