automatic nat on splat.....help!

[remoh]

R55 hfa-13 enforcement point.....

Host's real ip = 1.1.1.1
hosts public ip = 192.168.0.1

object created with ip of 192.168.0.1 and the automatic nat tab enabled with a static destination nat of 1.1.1.1

Translate destination on client side enabled

automatic arp enabled


So far, so good.....

Now heres the issue.........

To get splat to arp for anything, it needs a route........automatic arp configured or not, according to various secureknowledge articles this is how it appears...

usually you'd probably use to get to public address go to private address...... Ie route 1.1.1.1 255.255.255.255 192.168.0.1 but splat will only accept routes for reachable networks............even though I've got a route to 192/8 to the next hop router.......

What routes are required to get this to work.........bear in mind that none of the natted hosts are on the same network..


I've seen various variations of this and thus a bit confused...

Cant use manual nat, got 300 objects to nat.....

[am508]

I have to create a specific route for each NAT host on each node in my cluster.

I'm running linux so your mileage may vary on the process below

Login with admin rights
Type sysconfig
Select the Routing option
Select the Add New Host option
In the Destination IP field insert your external IP
In the Gateway IP field insert your hosts internal IP
Hit <CR> for the metric field

Hope this helps...

[chillyjim]

If the NAT'ed object is reachable from an internal interface on the gateway you should be all set. Exactly what are you seeing?

[andrew]

I've seen similar. I can't get our FW to answer ARP requests for static NATs. We have to manually set ARP entries in router. Lived with it so long forgot about it being an issue. Existed in 4.1, R55, and R60.

Andrew