ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG550 NATing issue

‎03-21-2013 08:28 PM

Managing SSG550. HW ver REV 15(0). FW ver 6.3.0r11.0

 

Have this problem for months now, hope someone can help me.

 

I have a MIP configured:

 

MIP: 202.58.xx.xx         (Public IP)

Host: 172.9.xx.xx/24    (Private IP)

TrustVR

 

One of my policy (Inbound Traffic)

 

SOURCE    DEST                           SERVICE

Untrust ---> MIP(202.58.xx.xx) --> MAIL

 

On the policy I should't use the option SOURCE Translation (Under Advance Policy) because I already have a MIP.

But when I untick the Source Translation I am unable to HTTP/HTTPS or PING the external IP? I have another device also an SSG550M and its work perfectly fine with out the Source Translation ticked.

 

Please let me know if you need clarifications.

 

 

6 REPLIES 6
ScreenOS Firewalls (NOT SRX)

Re: SSG550 NATing issue

‎03-21-2013 09:14 PM

Hi,

 

Do you mean src-nat on untrust to trust policy?

The MIP will NAT the destination IP from Public ip to private IP.
The source IP is not changed, with src-nat enabled, FW changes the source IP as well and NATs it to the trust interface ip address.

If you are not able to get the connection without src-nat, then it will indicate that the server in trust zone is unable to reply the packet back to the source public ip of traffic.
This can happen when the server in trust does not have the FW interface IP as its default gateway.

Hope this helps.


Regards.

Hardeep

If this update is helpful, you may mark it as accepted solution for others to benefit from it.

 

ScreenOS Firewalls (NOT SRX)

Re: SASSES NATing issue

[ Edited ]
‎03-24-2013 01:10 AM

Check your interface mode whether route  or nat mode first for both internet facing and inside interfaces.

 And second thing clearly mention what type NAT you think to deploy, Source NAT, Destination NAT. MIP is basically used to Destination NAT.

 

is the public IP 202.58.xx.xx used  for MIP same subnet of internet facing interface or not ? is there Routing device between firewall and ISP if you use different subnet IP than internet facing interface ?

 

 

ScreenOS Firewalls (NOT SRX)

Re: SSG550 NATing issue

‎03-24-2013 02:46 PM

Thank you @Sohota please give me time to verify network settings.

 

The gateway that we use is (I believe) a virtual gateway, we have a main site and a DR site.

 

Let me verify this, I will get back at you.

ScreenOS Firewalls (NOT SRX)

Re: SASSES NATing issue

‎03-24-2013 03:07 PM

Hi Shyan,

 

Thank you for your reply.

 

I have checked the Interface and both are using route. We have about 6 external IP that I can assign to an interface.

 

Here is an example of a policy I have on the firewall (I changed the IPs)

 

ID      Source       Destination                            Service

106   Any              MIP(205.251.xxx.xxx)           AutoSyn (TravelerNotes), HTTPS, PING       -- Untrust/Internet to DMZ

104   Any              MIP(205.251.xxx.xxx)           Winframe, Ping, HTTPS                                   -- Untrust/Internet to Trust

103   Any              MIP(205.251.xxx.xxx)           Mail, Ping                                                             -- Untrust/Internet to Trust

 

 

All of the policy above is not using NAT Source Translation (Under Advance Settings of the Policy).

 

ID 106 is working ok, means I can ping it from external network and it receives data inbound and outbound ok.

 

ID 104 and 103 does not work and will only work if I enable NAT Source Translation. Again I have almost the same settings and configuration on the 2nd firewall we are using and everything is working ok without enabling NAT Source Translation.

 

Thanks in advance.

ScreenOS Firewalls (NOT SRX)

Re: SSG550 NATing issue

‎03-24-2013 11:38 PM

Based on the explanation, I feel it is related to the default gateway setting on the server.

If the default gateway on server is NOT pointing to fierwall trust interface IP then this problem will occur.

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG550 NATing issue

‎03-25-2013 02:50 PM

Thank you @Sohota. I feel that your point is correct too. I just want to verify it by testing. Changing configuration on our network devices is not easy in our organisation.

 

Thank you all to have responded to this thread I really appreciate your help.