topic Regular Static Pat in 9.11 in Network Security

Regular Static Pat in 9.11

noc-cville — Tue, 12 Mar 2019 01:12:35 GMT

I am attempting to forward all traffic destined to my outside interface (173.x.x.x) on port 222 to my switch on the inside (192.x.x.2) on port 22. I have the same configuration set up on the same code on another firewall and it works just fine. This used to work on this one prior to the 9.11 upgrade. Anyone have a similiar issue?

Regular Static Pat in 9.11

Jouni Forss — Mon, 11 Mar 2013 15:53:00 GMT

Hi,

Only thing even slightly related to this kind of problem is a Bug in the newer softwares.

I've been told that the 8.4(5) software would be the choice at the moment.

Then again you mention that the rule is working on another box with same software. Though I am not sure if the bugs nature is so that it happens randomly.

You can always use the "packet-tracer" command to determine if the traffic is hitting the right NAT rule

packet-tracer input outside tcp

- Jouni

Regular Static Pat in 9.11

noc-cville — Mon, 11 Mar 2013 18:20:06 GMT

I'm not sure if this is a "bug" or a new feature of the 9.x software. I found that you cannot create an inbound static Pat policy using the outside interface ip address, if you are using the same address as a dynamic nat for outbound users. What I had to do was add an additional ip address for outbound dynamic nat and then the static pat inbound worked.

Re: Regular Static Pat in 9.11

Jouni Forss — Mon, 11 Mar 2013 18:29:06 GMT

Could you share the exact configuration format you used for the original NAT that didnt work?

I was testing a problem with a certain NAT configurations on these forums and there the situation was.

LAN had a Section 3 Dynamic PAT
LAN had a Section 2 Port Forward
DMZ had a Section 1 Dynamic PAT
All of the above used "outside" interface IP address as the public IP address

And in that case it seemed the DMZ Section 1 Dynamic PAT was overriding even the Section 2 Port Forward configuration between the "outside" and the "inside" which I didnt really understand

As soon as I added a specific destination for that Section 1 DMZ Dynamic PAT it didnt interfere with the Port Forward configuration. Provided ofcourse I didnt test from the just mentioned added destination network.

So it seemed as no destination was configured for the NAT it seemed to be matching all incoming traffic to the "outside" inteface IP address (even though the other interface was "dmz" which didnt seem to matter)

Dont know if I made any sense but this just seemed strange to me. Then again I dont configure the NAT in the same way as in this problem situation so I havent run into this problem myself.

- Jouni