Manual NAT option : translate client side

[gluperini]

Hi,

I'm having trouble using Manual NAT.
To let you know my problem, have look to my architecture (picture below).

- I've two firewalls managed with a Provider-1.
- One is directly connected to the LAN, the other one is connected to the LAN through the first one via a VPN connection.
- So 1 FW is managed using LAN and the other one is managed through internet connection
- The connection between that FW and the Provider-1 is OK.
- I use Manual NAT to allow the FW to comunicate with the ptovider-1 through internet.

I've some problem with NAT configuration with the FW managed throught internet and I need to change disable Manual NAT client side in the global policy settings to make it working.

I have manual NAT apply to the FW like :
From FW to Povider(@IP private) --NAT--> From FW to Provider(@IP public)

Actually, regarding the FW, If I keep the Manual NAT translate in client side I should have :

i : @IP Provideer-1 src = @IP dst (Private)
I : @IP Provideer-1 src = @IP dst (Public)
ROUTING
o : @IP Provideer-1 src = @IP dst (Public)
O : @IP Provideer-1 src = @IP privée (Public)

But the thing is with this configuration, Fw could not reach the Provider-1 through internet and when I check logs using the Smartview tracker, I can see that NAT hasn't occurs and the communication from the FW to the provider-1 is not NATed

If I do it another way (disabling the Manual NAT configuration into the global properties configuration).
It should be like this :
i : @IP Provideer-1 src = @IP dst (Private)
I : @IP Provideer-1 src = @IP dst (Private)
ROUTING
o : @IP Provideer-1 src = @IP dst (Private)
O : @IP Provideer-1 src = @IP privée (Public)

And this configuration should not work!
But this one is working and I can check that NAT is done (using the smartview tracker).

So I don't understand why is that working, whereas it should no works.
and why using Manut NAT translate client side doesn't work whereas it should work?

As I do not want to change global properties each time I push security policy on the FW, I would like to solve this issue differently or to at least to understand.


Thanks so much for your help.

regards

[Brentd]

I am not sure if I understand your problem, but from what I understand the client (or server) side natting is for destination NAT and not source NAT, as far as I know sourceNAT is always done on the server side???. So if you were doing client side destination NAT and source NAT then it would happen like this, from what I can remember, i, I, DestNAT, OS route ,SourceNAT o, O . Although you have not asked for twiceNAT (or Double NAT) I hope you can see what I mean..

When you run fw monitor use the -i option to track each interface one at a time and see if you then understand what I mean. I do think you have the wrong idea with client side NAT, is client side for "DEST NAT"

Can someone please confirm this to be factual!!

Brent

[MarioL]

Not sure about Provider-1, but in normal SmartCenter, when I have similar problems, I just create an object for the SmartCenter's public IP and then add that in the management tab of the firewall, rather than the one with private IPs. Then I only need NAT on the firewall close to the SmartCenter, rather than in both sides.

You can change this in:
Firewall object->Logs and Masters->Masters

Just add the public IP and move it to the top. Later you may want to remove the private IP.