4 Replies Latest reply on Dec 23, 2012 2:55 PM by rcamm

    How to port forward with original source address

      SG 575 has an web application server on its DMZ network. The application needs to tell who the user is by recognizing its source IP address from both, public and LAN interface. How to set up NAT to allow web server sitting in DMZ to see original source addresses of the clients, not the NATed ones from SG?

        • 1. Re: How to port forward with original source address
          PhilM

          I imagine that in addition to the port forwarding and packet filter entries to allow the traffic to pass through to the DMZ, you can also create a Source NAT entry for this traffc. When doing so, in the "Translate packet fields:" section configure the "To Source Address" as "Unchanged" and this should preserve the original source IP address.

           

          Hope that helps.

           

          -Phil.

          • 2. Re: How to port forward with original source address

            Thank you, Phil.

             

            I was thinking about SNAT before, but I just don't know how to use it. I thought it could be used only INSTEAD od other NAT methods, in this case to disable masquerading from LAN to DMZ and use SNAT instead. I don't see it possible for replacing DNAT.

             

            Now, your answer makes me think SNAT on SG devices isn't implemented that way. Rather it uses another approach, for example cycle like this:

            SYN packet checked for: VPN -> Masq/DNAT/1-1 NAT -> SNAT -> PF

             

            In this case, SNAT is used on top of other NAT rules and it is straightforward to preserve source addresses of incoming requests.

             

            Can you confirm this?

            • 3. Re: How to port forward with original source address
              PhilM

              I have to confess that my primary exposure is with the McAfee Firewall Enterprise (MFE) product. I only know a bit about the UTM/SnapGear solution because shortly after CyberGuard were purchased by Secure Computing, the kind people at Secure Computing UK (who I'd dealt with since the late 1990's) were kind enough to give me an SG565 to use at home.

               

              All of my base knowledge in NAT comes from the MFE product, and I have to confess that every other implementation of NAT I have come across (SnapGear, Juniper & SonicWALL in my case) all seems over complex and, frankly, confusing in comparison!

               

              In MFE, source NAT and destination NAT (redirection, in the case of MFE) operate independently of each other, meaning that you can apply destination NAT and choose whether you need to apply source NAT or not. By default it will source NAT Whle it isn't as easy I have found the same to be the case on the SonicWALL Firewalls I have been working with. So... I'd like to think that the same is the case for this Firewall - with the Port Forwarding rules handling the destination NAT part of the connection and the Source NAT rules allowing you to optionally decide whether you want to change the source IP address and if there isn't a source NAT rule in place it will resort to using whatever default masquerading setting is in place.

               

              Does that help?

               

              When it comes to real expertise, Ross (rcamm) is the man to call upon. However, his availability on this forum is governed by how much work he has to do.

              • 4. Re: How to port forward with original source address

                you are correct...SNAt is done last in the chain

                 

                see the diagram at the bottom of this page

                 

                http://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html

                 

                where SNAT is done at the last section, NAT POSTROUTING, with DNAT done first in NAT PREROUTING

                 

                as such you can create a SNAT rule and it will not affect the DNAT or vica versa....it is agffecting a different parameter, being the source address.

                 

                Hope this helps clarify.