How to handle DNAT with Zone-policy?


#1

Quick question.

If you apply a DNAT and a Zone-based policy from WAN to LAN its suppose LAN policy are expecting that packet come from WAN or from LOCAL?.

I’m trying to do a DNAT I receive the packets when I run “monitor nat dest” but I don’t see anything going out from the LAN interface.

My configuration:

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name lan-wan {
default-action accept
}
name vpn-lan {
default-action accept
}
name vpn-wan {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action reject
log enable
}
}
name wan-dmz {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
state {
invalid enable
}
}
rule 100 {
action accept
destination {
port 3341
}
protocol tcp
state {
new enable
}
}
}
name wan-lan {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
destination {
address 10.10.5.14
}
log enable
state {
new enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 170.xxxxx
duplex auto
hw-id 00:xxx
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.10.5.1/24
duplex auto
hw-id 00:50xxxx
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
encapsulation gre
local-ip 140.xxxx
multicast disable
remote-ip 177.xxxx
}
vti vti0 {
address 169.254.252.2/30
}
}
load-balancing {
wan {
disable-source-nat
interface-health vti0 {
failure-count 10
nexthop 169.254.252.1
success-count 1
test 10 {
resp-time 5
target 169.254.252.1
ttl-limit 5
type ping
}
}
rule 10 {
inbound-interface eth0
interface vti0 {
weight 1
}
protocol all
}
}
}
nat {
destination {
rule 100 {
destination {
port 3341
}
inbound-interface eth0
log enable
protocol tcp
translation {
address 10.10.5.14
port 1433
}
}
rule 101 {
destination {
port 1433
}
inbound-interface eth0
protocol tcp
translation {
address 10.10.5.14
}
}
}
source {
rule 100 {
outbound-interface eth0
source {
address 10.10.5.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 172.16.0.0/16 {
next-hop 169.254.252.1 {
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address xxxxxx
host-name fw
name-server
name-server

 package {
     auto-sync 1
     repository community {
         components main
         distribution helium
         password ""
         username ""
     }
 }
 syslog {
     global {
         facility all {
             level notice
         }
         facility protocols {
             level debug
         }
     }
 }
 time-zone UTC

}
vpn {
ipsec {
esp-group MyESPGroup {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
proposal 2 {
encryption aes256
hash sha1
}
proposal 3 {
encryption 3des
hash md5
}
}
ike-group MyIKEGroup {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes256
hash sha1
}
proposal 3 {
encryption 3des
hash md5
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer xxxxx {
authentication {
mode pre-shared-secret
pre-shared-secret xxxx
}
connection-type initiate
ike-group MyIKEGroup
ikev2-reauth inherit
local-address xxxx
vti {
bind vti0
esp-group MyESPGroup
}
}
}
}
l2tp {
remote-access {
authentication {
local-users {
username xxxx {
password xxx
}
username xxx {
password xxxx
}
}
mode local
}
client-ip-pool {
start 192.168.214.1
stop 192.168.214.255
}
description xsxw
dns-servers {
server-1 8.8.8.8
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret xwxwx
}
ike-lifetime 3600
}
outside-address xxxxxxxxxxx
}
}
}
zone-policy {
zone lan {
default-action drop
from vpn {
firewall {
name vpn-lan
}
}
from wan {
firewall {
name wan-lan
}
}
interface eth1
}
zone vpn {
default-action drop
from lan {
firewall {
name vpn-lan
}
}
interface vti0
}
zone wan {
default-action drop
from lan {
firewall {
name lan-wan
}
}
interface eth0
}
}

Thanks.


#2

Well If some one experiment the same situation I can confirm the packet flow when a DNAT it’s apply the Zone-Policy should come from a local-zone to the LAN zone.


#4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.