Thread: NAT by Service Issue
View Single Post
  #1 (permalink)  
Old 2008-02-15
jmillercw jmillercw is offline
Junior Member
  
Join Date: 2007-09-25
Location: Tampa, FL
Posts: 13
Rep Power: 0
jmillercw has an average reputation (10+)
Default NAT by Service Issue
Earlier in the week, I got a request to direct internet traffic directed to a specific routable IP address to 2 internal hosts, based on service.

I set it up as such:

NAT Policy Additions:
-------------------------------------------------
Original Packet
Source: *
Dest: Externally routable IP Address
Service: SMTP
Translated Packet
Source: Original
Dest: Internal Host A (same network as Internal Host B)
Service: Original
----------------------------------------------------
----------------------------------------------------
Original Packet
Source: Internal Host A (same network as Internal Host B)
Dest: *
Service: SMTP
Translated Packet
Source: Externally routable IP Address
Dest: Original
Service: Original
------------------------------------------------------
------------------------------------------------------
Original Packet
Source: *
Dest: Externally routable IP Address
Service: Pop3, Imap, http, https
Translated Packet
Source: Original
Dest: Internal Host B (same network as Internal Host A)
Service: Original
-------------------------------------------------------
-------------------------------------------------------
Original Packet
Source: Internal Host B (same network as Internal Host A)
Dest: *
Service: Pop3, Imap, http, https
Translated Packet
Source: Externally routable IP Address
Dest: Original
Service: Original


** Note: I did a separate manual NAT for each service. I grouped them together here as to not further clutter the post **

I then wrote the access rules...not an issue there...I'm very comfortable w/ rules.

So now here's the weird part: It worked fine. A co-worker and I were testing, and the traffic was going to where it needed to w/o issue. The logs also prove it.
THEN
About 4 hours later, it stopped working. I had nothing in the logs to Internal Host A or B for what I specified. I rolled back the ruleset (thank you DB revision control!) and things were back to normal. No one touched the FW during this time, as I'm the only one with access.

It appears, since there are NO deny or allow logs, that the NAT policy to these hosts stopped working at some point. I'm now trying to figure out what happened, and I've run into a wall.

- No internet outage during that time. Everything else looked fine. Only the specified hosts were affected.

SO, can anyone lend any insight as to what you think may have gone wrong here? I may have configured something wrong, as I had never attempted this before w/ these FW's. However, it seems fishy that it was working for a few hours, then stopped.

FWs: (2) UTM-1 NGX R65 on SPLAT in HA config.

Thanks in advance,

Jay
Reply With Quote