This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT incoming traffic, DEFAULT DROP

WEB SERVER ASGRouter doing NATINTERNET.
NAT incoming tcp:80 traffic to ASG.

The problem is that NAT opens a connection to ASG who's dropped...

17:31:38 Default DROP TCP 85.33.252.64 : 55028
→ 192.168.10.10 : 80
[SYN] len=52 ttl=117 tos=0x00 srcmac=0:13:f7:a4:3a:6e dstmac=0:c:29:e9:16:49

how can solve it!?

This thread was automatically locked due to age.

Parents

0 tbrandl over 15 years ago

...just build a DNAT rule...

Or, if your ASG is acting as a "non-natting"-router: build an "allow-rule" in the packet filter.

Or move to v8 and use WAF.....

Regards,
Thomas
Cancel
Vote Up 0 Vote Down

Cancel
0 tenshin over 15 years ago in reply to tbrandl

Thank you...
... partially solved using DNAT, but now I can't find a way to use WAF... and all incoming traffic must be redirected using DNAT..
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 tenshin over 15 years ago in reply to tbrandl

Thank you...
... partially solved using DNAT, but now I can't find a way to use WAF... and all incoming traffic must be redirected using DNAT..
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 tenshin over 15 years ago in reply to tenshin

if i ping from nat router (WAN network) to web server (internal network) rule (any-any-any) is catching packet and goes to destination ...

(19:15:12 Packet filter rule #2 ICMP 192.168.10.2
→ 192.168.20.51
len=88 ttl=127 tos=0x00 srcmac=0:13:f7:a4:3a:6e dstmac=0:c:29:e9:16:49
)

why packet is not catched by filter rule when router act as NAT from INTERNET...? It is maybe because NAT router (protocol) maintains original source address from Internet?

19:16:54 Default DROP TCP 83.57.255.64 : 60781
→ 192.168.10.10 : 80
[SYN] len=52 ttl=117 tos=0x00 srcmac=0:13:f7:a4:3a:6e dstmac=0:c:29:e9:16:49
Cancel
Vote Up 0 Vote Down

Cancel