Hiding NAT excluded for some interfaces

[Wullum]

Hi all,

got a hiding NAT issue on R65 FW1 with 3 interfaces used:

eth1 external to internet (public addresses)
eth2 internal to LAN (private addresses)
eth3 internal to DMZ (private addresses)

I use hiding NAT for my internal network to access internet. I hide my internal private network behind 1 public address.
I also tried to hide the internal private network behind the gateway (i.e. based on topology) for testing.

When I route traffic from the internal network 192.168.x.0 behind eth2 to a router behind eth3 in network 192.168.y.0 traffic arrives at the router with the public ip (NATted). This is while hiding behind 1 public address.
When i route traffic from the internal network 192.168.x.0 behind eth2 to a router behind eth3 in network 192.168.y.0 while hiding behind gateway, traffic arrives at the router with the eth3 interface private ip.

Although fully explainable (and by design I guess), this is not desired.

I only want hiding NAT to be applied to traffic going into the "external" internet interface eth1, not for traffic going into the DMZ interface eth3.

Is there a way of excluding interfaces from NAT being applied, to enble me to arrive with my private internal ip 192.168.x.a at router 192.168.y.b in the DMZ instead of with a NATted ip?


Thanks for replies I can solve this with.

Wim

[cciesec2006]

Easy. Create a mannual NAT rule as follows and put it at the top of
the nat translation:

source destination service original
internal dmz any original
dmz internal any original

that will make traffic goes from internal to dmz and vice versa from not being
NAT'ed.

[Wullum]

Thx cciesec2006, I already did.

Tried to include these rules inbetween the automatic NAT rules, but SmartConsole won't let me, so I put them at the top.

Unfortunately I cant test this during business hours.....

W

[Thorpuse]

You want your "Anti-NAT" rules at the top of the Rulebase anyway - like the firewall policy, NAT rules are processed in order.