Hi all,
I am testing an ASG220 appliance for deployment at my company and so far so good. But I ran into a serious problem trying to set up port forwarding DNATs with an alias address on the external interface.
We have a public ip segment of x.x.x.136/29, and the external interface (eth1) of ASG is x.x.x.138, default GW x.x.x.137. Works fine, also any VPN tunnels I have set up.
Our LAN (eth0) is 10.0.100.0/24, and I have also set up a DMZ of 10.1.1.0/24 on eth4. Hosts on the DMZ can be reached fine and they are able to ping the internet - no problems there. The hosts in the DMZ currently use public ip of x.x.x.139 and I have port forwarding rules on our existing FW to handle this (the DMZ hosts can share that ip, as they are on different ports).
To accomplish this with the ASG I created an additional address on the eth1 interface, with ip x.x.x.139/29. Then I created corresponding DNAT rule thus:
x.x.x.139 -> https -> host_10.1.1.71, destination service unchanged.
I also created two packet filter rules to be sure:
Allow Any->https->External WAN network (unnecessary?)
Allow Any->https->host_10.1.1.71 (since DNAT is applied before packet filter)
Both rules have logging enabled. I have disabled IPS completely to eliminate its effect. Also end user portal is disabled and it's port has been changed to 1443 to avoid a clash.
No joy. I am not even seeing any log entries, the traffic is completely ignored. When I change the DNAT rule source to x.x.x.138, everything works fine, and filter accepts are logged, so my rules should be fine.
Is this kind of use for additional addresses supported? The KB article on port forwarding (for v6.x) mentions it as an alternative and I am using similar setup with our current firewall (Watchguard).
Regards,
Tommy13
This thread was automatically locked due to age.
