6 Replies Latest reply on Dec 8, 2011 6:33 PM by art_r

    Dnat gets internal IP on 2nd packet on

      Hi All,

      Have a SG580 with a DNAT setup (via gui) to forward packets from static ext IP/Port to internal IP/Port. Say ext 1.1.1.1:3000 to int 192.168.1.1:3000

       

      Have a SG560 at satellite office and looking in the logs of that I can see my application contact 1.1.1.1 and get a response back but on the 2nd packet on it won't show the destination being 1.1.1.1 but 192.168.1.1 and so it doesn't work.

       

      Why or how is my destination address changing from the correct external IP to the incorrect internal IP and is there a way to fix this. I have many other dnats on the SG580 and never seen anything like this.

       

      Any help would be greatly appreciated.

       

      Shame that these units are discontinued, still working very well many years on.

       

       

      Art

        • 1. Re: Dnat gets internal IP on 2nd packet on

          the packet is not being source natted to 1.1.1.1 when it is being sent out from the SG580 upon its return to the satellite office.

           

          try as a workaround to create a source nat rule that does this translateion( will be the opposite of the DNAT rule )

          • 2. Re: Dnat gets internal IP on 2nd packet on

            Hi Ross,

            Will give that a try again as I think I did try that first but will try again and see what happens.

            • 3. Re: Dnat gets internal IP on 2nd packet on

              Hi Ross,

              Ok, I have since setup an ipsec tunnel between both locations to make life easier, but still having similar issue sort of.

               

              I can ping/tracert between both internal networks. But now when an application at the satellite office sends a request to the headoffice, the headoffice router sends the reponse back to the satellite offices WAN IP rather than the internal IP. So similar issue to above but no sending to external rather than internal.

               

              Any ideas as I was hoping with a full site to site VPN all my issues would go away.

               

              a.

              • 4. Re: Dnat gets internal IP on 2nd packet on
                PhilM

                Art,

                 

                I'm not as familiar with SnapGears as I am with the larger McAfee Firewalls though I do have one running at home providing me with an IPSec tunnel back to the McAfee Firewall Enterprise appliance located at my company's offices. As I understand it, the presence of the site-to-site IPSec tunnel should automatically take control of this traffic before it is even seen by any other aspect of the Firewall.

                 

                However, I'm anticipating that there may be some residual routing/NAT configuration from your earlier attempts which may be confusing the situation. Have you removed these legacy settings?

                 

                On a couple of occasions I have experienced a situation where traffic should be sent over a VPN, but for reasons unknown it is not. Deleting and recreating the IPSec tunnel normally fixes it.

                 

                I will happily defer to Ross' expertise on this product, but hope that this proves to be useful to you.

                 

                Phil.

                1 of 1 people found this helpful
                • 5. Re: Dnat gets internal IP on 2nd packet on

                  Hi Phil,

                  Thanks for the reply, I did turn off my previous rules/filters but agree that could still be something that is adding to the issue. I will give your suggestion a go, backup the config and remove a lot of old configuration and test over the weekend as this is a live/production unit.

                   

                  I will try deleting and recreating the VPN also, as you suggest.

                   

                  Cheers

                  Art

                  • 6. Re: Dnat gets internal IP on 2nd packet on

                    Ok, so cleaned up my router and the ipsec tunnel is working correctly now.

                     

                    I have posted a new issue, in a new thread.

                     

                    Thanks to Ross and Phil