cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
0
Helpful
5
Replies

2 Static NAT Rules for traffic vs 1 NAT Rules | How does this effect application web traffic?

LaFerrari
Level 1
Level 1

IoT Device 2 NAT Sessions for WebSockets, firewall blocking traffic when 2 Static NAT entries are made

 

---------------------------------------------------------

 

There is this IoT device that I have been working on getting to work. One engineer took it home and it worked fine. I bring it behind our firewall and it doesn't work. I do a packet capture and I see traffic from the IoT device to the internet. They say all it needs it 2 ports open outbound and then it goes to a single web server, which it does because it is in the trusted security zone of the inside interface going to the outside. 

 

The manufacturer spoke to another engineer and had it tested. They are saying this "was when I started I had a separate firewall rule allowing outbound UDP and outbound TCP traffic to the port. I believe this caused the session to leave the firewall via the NAT in 2 sessions, and between the device and the webserver it wasn’t able to ‘jump’ between both sessions. But adding both of the UDP and TCP rules into a single firewall rule I believe it’s able to allow all the communication to flow from a single session, and thus made the connection."

 

What does this mean and why would this happen?

 

He is saying they are using WebSockets to make the connection but I am not sure what that means, maybe kind of library in their application? 

5 Replies 5

what you want to achieve and what help you needed if you understand the flow, how this IOT is working in that case you should reach out the vendor and ask them to explain how it work.

we are here to help if you  have issue with device connection to firewall inbound/outbound. give us a clear picture what you want to get out of this in regards to firewall. rest question you can directly ask to the vendor instead of asking here.

please do not forget to rate.

You are correct, but there is more to it than that. The vendor actually flew to our customers office the other day and had no idea how it works. The guy was the one who started the company and "made" the device. They are saying the issue is happening because of the firewall and if we had the firewall configured how they want us to do it it would work. 

 

I was actually told in email that the issue was that I was allowing TCP and UDP but not properly allowing TCP and UDP simultaneously xD 

 

They say the only things it needs is these two ports on TCP and UDP and I can confirm it does. 

 

I understand it is their problem but I am going to try it and see what happens and I am curious why it would happen. 

what configuration you have applied so far? give us your config as a second pair of eye we can look into this and might be able to work it for you.

please do not forget to rate.

I haven't done anything to the config yet. There is nothing special it just allows IP from inside to outside. All devices work to the internet. The IoT device can even ping the internet and test the remote connection to the webserver with telnet IP portnumber. They are just saying that the application only fails if it is blocked, but they can't provide any logs showing that. 

Thanks for the update

please do not forget to rate.
Review Cisco Networking for a $25 gift card