NAT by Service Issue

[jmillercw]

Earlier in the week, I got a request to direct internet traffic directed to a specific routable IP address to 2 internal hosts, based on service.

I set it up as such:

NAT Policy Additions:
-------------------------------------------------
Original Packet
Source: *
Dest: Externally routable IP Address
Service: SMTP
Translated Packet
Source: Original
Dest: Internal Host A (same network as Internal Host B)
Service: Original
----------------------------------------------------
----------------------------------------------------
Original Packet
Source: Internal Host A (same network as Internal Host B)
Dest: *
Service: SMTP
Translated Packet
Source: Externally routable IP Address
Dest: Original
Service: Original
------------------------------------------------------
------------------------------------------------------
Original Packet
Source: *
Dest: Externally routable IP Address
Service: Pop3, Imap, http, https
Translated Packet
Source: Original
Dest: Internal Host B (same network as Internal Host A)
Service: Original
-------------------------------------------------------
-------------------------------------------------------
Original Packet
Source: Internal Host B (same network as Internal Host A)
Dest: *
Service: Pop3, Imap, http, https
Translated Packet
Source: Externally routable IP Address
Dest: Original
Service: Original


** Note: I did a separate manual NAT for each service. I grouped them together here as to not further clutter the post **

I then wrote the access rules...not an issue there...I'm very comfortable w/ rules.

So now here's the weird part: It worked fine. A co-worker and I were testing, and the traffic was going to where it needed to w/o issue. The logs also prove it.
THEN
About 4 hours later, it stopped working. I had nothing in the logs to Internal Host A or B for what I specified. I rolled back the ruleset (thank you DB revision control!) and things were back to normal. No one touched the FW during this time, as I'm the only one with access.

It appears, since there are NO deny or allow logs, that the NAT policy to these hosts stopped working at some point. I'm now trying to figure out what happened, and I've run into a wall.

- No internet outage during that time. Everything else looked fine. Only the specified hosts were affected.

SO, can anyone lend any insight as to what you think may have gone wrong here? I may have configured something wrong, as I had never attempted this before w/ these FW's. However, it seems fishy that it was working for a few hours, then stopped.

FWs: (2) UTM-1 NGX R65 on SPLAT in HA config.

Thanks in advance,

Jay

[rokudan]

Not that it answers your question, but there is not need to double up on your NAT's... Only the initiating side needs a NAT... Meaning, if you have someone coming IN to you for a service, and you want to NAT it.. You only need the first NAT you have listed, that takes the source and sends it to the NAT'd IP. If your inside SMTP server is initiating a connection to those source IP's you listed in the first NAT rule, then yes you need the reverse NAT. Otherwise, one will do...

Think about this way, if in your ruleset you only have inbound connections allowed to a host, then you only need the inbound NAT. However if you have two way access allowed, then you will want to NAT both ways..

In the case of your SMTP server, you would probably need to NAT both ways.. Since with SMTP you will be accepting connections initiated from the outside (recv mail), and you will be initiating connections to the outside (send mail).

However, I doubt your other services, like http and https, will have connections initiated from your server. Unless your browsing the web from that server, to whatever IP's you have listed as your dest.

Sorry I cant help with why it stopped working, that is odd based on the info given.

Did any of that make sense?

[jmillercw]

Yes, it's making sense. Thanks for your insight.

In my review of what was done & trying to figure out why it suddenly stopped working, I realized I mis-posted.

On the outbound NATs, I didn't specify the service. I only specified it on the inbound NATs.

Soooooo.....

That makes me wonder: If I'm specifying it by port on the inbound NAT, do I also need to do it on the outbound? I do understand I only need outbound if the internal server is initiating the connection, but now I'm curious how other have done this.

Thanks in advance.

[rokudan]

If you dont specify what the originator is doing, it will use the same original port...

Meaning, if you specify a translation of an IP from inside to out, it will only NAT the IP, and the port will stay the same.. And vise versa... From what you have above, you should not need to NAT the port.. The only time you need to NAT a port is if, say... You want to connect from inside, to outside, and you are using say standard SMTP port of 25, but your destination expects the conn on port 1125.. You would then NAT the port.. Elsewise, the port should not change...

Pretty rare is it that you will need to do a port trans, in the business world... PAT as it is known, is more widely used by home users, where ISP's block certain ports.. Like 80, or 21, etc.. Where then, a home user might PAT 21 to 8821, or port 80 to 8080...

Again, I know a fail typically at being clear.. I am not good at explaining things, so I hope this made some sense... Your problem still perplexes me, in that it was working, and now does not.. I feel like I am missing a piece of the pie...

[Thorpuse]

Do you have "Translate Destination on Client Side" ticked in the Global properties for both Automatic and Manual NAT?

[jmillercw]

Thorpuse: Yes, I do have "Translate Destination on Client Side" checked in Global Properties.

AND

I've recreated this w/ an easier NAT that I'm trying to do.

I setup the same kind of manual NAT to 1 particular routable IP address.

Using the same externally routable address:
- First NAT sends TCP 3389 to one internal host
- 2nd NAT sends TCP 13389 to another internal host

I had NAT rules for inbound & outbound w/ the services specified (was just testing this). It worked fine for a few hours, then completely stopped working. After it stopped working, I removed the outbound NAT, as it doesn't really need it. Still nothing.

This is really perplexing me.... it actually works fine for a few hours, then it stops working. Once it stops working, I get absolutely nothing in the logs (I log everything right now, it's a new install).

Anyone have any thoughts why it would work for a few hours and then stop? It only does this when I try to send different services to different internal hosts from the same routable IP address.

UTM-1 NGX R65 on SPLAT in HA mode.

Thanks again.....

[eduardw]

Did you do a tcpdump on the incoming interface of the splat.
Do two dumps, one when it is working fine a second when the problem occurs.
I suspect that when it stops working you won’t see any incoming sessions for the translated port.
When this is true it could be a arp issue. Does the external gateway (router) has static routes for the nat ip addresses.
Check the arp table of the router when every thing is working and compare the table when of that when the problems arises. When there are no static routes to the fw for the natted address then try to remove the arp on the router when the problem occurs.

Eduard