Hairpin NAT (NAT loopback) in NGFW mode

Question

Hi,

Situation is standard DMZ: single WAN port forwarded to a server in a DMZ which is separate to the main lan subnet. Access externally works via this port, and access internally (via the separate lan subnet/interface) works via the original IP and port.

External source accessing [ExternalIP]:88->[InternalDMZIP]:80 [style="background-color: #000000;"]works fine[/style]

Internal (lan) source accessing [InternalDMZIP]:80 [style="background-color: #000000;"]works fine[/style]

But how do we configure hairpin NAT when using NGFW mode? I would be happy with either the internal or external IP, as long as the port changes. the command 'set match-vip enable' doesn't existing in NGFW mode now. I've also tried creating a new VIP and using it in the LAN rule, using the internal address to the same address with just the port changed, but this breaks external access as well, even with it not applied to a rule! I've tried not specifying the interface in the VIP and specifying the external IP instead, which works externally again but not internally. Rules were set to allow both original and translated services during testing to rule out rule issues.

set match-vip enable [style="background-color: #000000;"]doesn't exist[/style]

Internal (lan) source accessing [ExternalIP]:88->[InternalDMZIP]:80 [style="background-color: #000000;"]doesn't work[/style]

Internal (lan) source accessing [InternalDMZIP]:88->[InternalDMZIP]:80 [style="background-color: #000000;"]doesn't work[/style]

[style="background-color: #000000;"][style="background-color: #ffffff;"]Any of the above with an SNAT from lan to DMZ to use the interface IP [/style]doesn't work[/style]

So how do we configure hairpin NAT when using NGFW mode?

emnoc · Answer

try adding  to the vip in the cli  config firewall vip  <vip-name>    set extintf "any" end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded