Solved: Confused about NAT [Auto Vs. Manual] and Static vs. Dynamic

TheGoob · ‎02-24-2025

Hi

So I am just confused over the concepts, and google is not helping. It recites specifics, but nothing that explains.

So, for example. I have several WAN IPs and several LAN Networks [vlans] and will just be dealing with one.

First, I made a MANUAL Dynamic NAT; x.x.x.180 [WAN IP] to 192.168.1.0 [LAN Network] - - To me, that means associate ANY LAN IP 192.168.1.0/24 with WAN IP x.x.x.180. This works, no matter what IP on the 1.x LAN grabs the correct WAN IP.

Second, I make ACL's allowing for Incoming [WAN to LAN] access: Allow incoming from outside to inside 192.168.1.180 Port 25.

Still did not work. So then I made another manual NAT but static x.x.x.180 to 192.168.1.180. [I did not specify] ports.

Now it works, incoming and outgoing mail. But works does not mean works right. How does a NON PORT SPECIFIC 2nd Static NAT make it work? The NAT isn't saying anything about email port 25, so how does it know??

TheGoob · ‎02-27-2025

Oh for the love of!!!

First of all, I rarely run firewall specifics on this type of server as only 2 ports open and ruled by the Cisco FPR but it just occurred to me several months back I fussed around with it and sure enough, 80 was blocked. I unblocked it and bam, Works.

How embarrassing.

View solution in original post

liviu.gheorghe · ‎02-24-2025

First, I made a MANUAL Dynamic NAT; x.x.x.180 [WAN IP] to 192.168.1.0 [LAN Network] - - To me, that means associate ANY LAN IP 192.168.1.0/24 with WAN IP x.x.x.180. This works, no matter what IP on the 1.x LAN grabs the correct WAN IP.

This NAT is for the IP addresses on the inside LAN to be translated to the outside in a public IP - x.x.x.180

Second, I make ACL's allowing for Incoming [WAN to LAN] access: Allow incoming from outside to inside 192.168.1.180 Port 25.

The ACL is basically for inspecting traffic.

Still did not work. So then I made another manual NAT but static x.x.x.180 to 192.168.1.180. [I did not specify] ports.

This NAT is needed in order to permit outside traffic from the originating mail server to be translated to the real server IP - 192.168.1.180

Now it works, incoming and outgoing mail. But works does not mean works right. How does a NON PORT SPECIFIC 2nd Static NAT make it work? The NAT isn't saying anything about email port 25, so how does it know??

The "NON PORT SPECIFIC 2nd Static NAT" translates ALL ports for the specified IP address.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-24-2025

That all makes more sense… Would it be wise to indeed make them port specific? Or does it not matter as I do not have ACL’s permitting ports other than what I want anyway.

liviu.gheorghe · ‎02-25-2025

It's always a good idea to be very specific when it comes to firewall configuration. For that matter, I always configure as specific as possible the NAT and the ACL's.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-27-2025

Not to sound redundant, but do I need to make a NAT entry for any incoming port access alongside an ACL.

So, if I am doing 25, 443 and 80, do I make 3 NAT's?

liviu.gheorghe · ‎02-27-2025

Yes, you do have to configure 3 NAT entries, one for each port you intend to use - 25, 443, 80.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-27-2025

Hi

Then I am doing something wrong.

I made a NAT entry for Port 80 and created an ACL for Port 80...NAT is a MANUAL NAT, Above the default NAT.

But when I do Letsencrypt [certificate maker] I get this error

Fetching http://mail.fbeye.org/.well-known/acme-challenge/IU4TxWtsgccFG7iQS3HMBqWAybIsQpmd9zLm-7oWrJU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

liviu.gheorghe · ‎02-27-2025

I can see that port 25 is opened on mail.fbeye.org, but port 80 and 443 is not.

What is the difference between port 25 NAT config and port 80 NAT config?

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-27-2025

Well this is what I am trying to figure out.

25 is for my incoming mail, 80 is for incoming letscencrypt certificate authentication.. 443 for now is just open. Here are the nat/acl for the 80

liviu.gheorghe · ‎02-27-2025

Can I see the NAT screenshot for port 25 as well please.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-27-2025

Yes, but right now I do not have anything specific, just a STATIC Manual NAT as such [which i guess could be my problem because it may be overruling the 80] now that I think about it.

liviu.gheorghe · ‎02-27-2025

The NAT rule "fbeye_mail" is not restricted to any ports - it translates all ports on object group "fbeye_mail" to object group "fbeye_WAN".

What is NAT rule "fbeye_Networks"?

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-27-2025

So, starting from beginning.

I have a NAT, Dynamic rule associating ALL [LAN] 192.168.1.0/24 to [WAN] x.x.x.180

I then want to allow access [incoming] from 80 and 25, so I create two NEW NAT rules STATIC above the default NAT Rule. That is where I am at.

1.) associating LAN Network with WAN IP [reason for this is i simply want any IP on the 1.0 network to have the .180 WAN IP by default]

2.) creating incoming 25 rule and

3.) creating incoming 80 rule... ALL on WAN x.x.x.182 to LAN [Specific] 192.168.1.180

fbeye_network = 192.168.1.0/24

fbeye_mail = 192.168.1.180

fbeye_WAN = x.x.x.180 WAN IP

liviu.gheorghe · ‎02-27-2025

What other ACL rules do you have? Do you have an ACL rule permitting traffic from source interface "vlan2" to destination interface "outside"?

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-27-2025

Hmmm, that I do not.. I do not have any specific "outgoing" only the default 'inside to outside' in which fbeye/vlan2 is associated with inside.