Disable Virtual IP for a specific policy

Forum|Forum|7 years ago
July 13, 2018
1 reply
10068 views

We have two policies for a source subnet, one for internal and external access with same source and destination interfaces in both policies.

There are virtual IP's created for some source address for internal access however these Nat address are overriding the PAT configured for external access and natting to specific virtual IP's instead of PAT. Which is creating access issues.

Is there way I can exclude this virtual IP's being considered for external policy.

Thanks,

Saven

Nicholas_Doropoulos

New Member

Hi,

You should be able to do that by running the following commands:

config firewall policy

edit [relevant policy]

set match-vip disable

end

Then test to verify results.

SaVenAuthor

New Member

Hi,

That is already disabled by default.

Thanks

SaVenAuthor

New Member

any comments on this ?

Doesn't this work only as DNAT ? I see that even when traffic is initiating(source) from 100.5.2.5 it is resolving to 100.5.6.9? Cant we force it to be only a DNAT?

config firewall vip edit "some_nat set id 0 set comment '' set type static-nat set extip 100.5.6.9 set extintf "any" set arp-reply enable set nat-source-vip disable set portforward disable set gratuitous-arp-interval 0 set color 0 set mappedip "100.5.2.5" next end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded