Thread: Manual NAT option : translate client side
View Single Post
  #1 (permalink)  
Old 2007-07-04
gluperini gluperini is offline
Junior Member
  
Join Date: 2007-01-16
Posts: 12
Rep Power: 0
gluperini has an average reputation (10+)
Default Manual NAT option : translate client side
Hi,

I'm having trouble using Manual NAT.
To let you know my problem, have look to my architecture (picture below).

- I've two firewalls managed with a Provider-1.
- One is directly connected to the LAN, the other one is connected to the LAN through the first one via a VPN connection.
- So 1 FW is managed using LAN and the other one is managed through internet connection
- The connection between that FW and the Provider-1 is OK.
- I use Manual NAT to allow the FW to comunicate with the ptovider-1 through internet.

I've some problem with NAT configuration with the FW managed throught internet and I need to change disable Manual NAT client side in the global policy settings to make it working.

I have manual NAT apply to the FW like :
From FW to Povider(@IP private) --NAT--> From FW to Provider(@IP public)

Actually, regarding the FW, If I keep the Manual NAT translate in client side I should have :

i : @IP Provideer-1 src = @IP dst (Private)
I : @IP Provideer-1 src = @IP dst (Public)
ROUTING
o : @IP Provideer-1 src = @IP dst (Public)
O : @IP Provideer-1 src = @IP privée (Public)

But the thing is with this configuration, Fw could not reach the Provider-1 through internet and when I check logs using the Smartview tracker, I can see that NAT hasn't occurs and the communication from the FW to the provider-1 is not NATed

If I do it another way (disabling the Manual NAT configuration into the global properties configuration).
It should be like this :
i : @IP Provideer-1 src = @IP dst (Private)
I : @IP Provideer-1 src = @IP dst (Private)
ROUTING
o : @IP Provideer-1 src = @IP dst (Private)
O : @IP Provideer-1 src = @IP privée (Public)

And this configuration should not work!
But this one is working and I can check that NAT is done (using the smartview tracker).

So I don't understand why is that working, whereas it should no works.
and why using Manut NAT translate client side doesn't work whereas it should work?

As I do not want to change global properties each time I push security policy on the FW, I would like to solve this issue differently or to at least to understand.


Thanks so much for your help.

regards
Attached Images
File Type: jpg CUPG.jpg (34.0 KB, 184 views)
Reply With Quote