1-to-1 NAT question

Anomotion · ‎06-01-2020

Hello,

We have configured 1-to-1 NAT, but there are a few ports we would still like to block. Would I be correct in that the process for doing this would be:

[ol]

Leave the current 1-to-1 NAT rule in place

Create additional port forward rules that DENY the ports we want to block

Add these ports to a new IPv4 Policy that is higher up (and therefore matched first) than the policy for the 1-to-1 NAT?[/ol]

Thanks, in advance, for your insight!

Toshi_Esumi · ‎06-01-2020

Why do you need No.2? You just want only the rest of ports access to follow the current out-to-in (or in-to-out) NAT rule, right? You can simply deny traffic coming in for those specific ports with No.3.

emnoc · ‎06-01-2020

The vip is one part the access rule controls the traffic, can you share what you did since you mention 1-to-1 nat and then port-forward in the same breath so it's confusing what you actually did.

Also keep in mind that fwpolicy ordering of the sequence plays a very very important factor in matching the NAT.

Ken Felix

PCNSE

NSE

StrongSwan

Toshi_Esumi · ‎06-01-2020

Yea, you probably need it. Without the vip, FGT can't determine the outgoing port.

1-to-1 NAT question

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website