NAT'ing Help Needed

msmcknight

I am trying to set up a segment that is completely natted with static 1:1 natting, where the traffic only passes when using the natted address.

My network looks like this:

I created a Virtual IP at 10.3.3.88 and set up a 1:1 nat for host 10.7.7.8. Host 10.3.3.123 should only communicate with 10.3.3.88, never trying to reach the 10.7.7.8 address directly.

Traffic leaving 10.7.7.8 appears to be natted as host 10.3.3.123 sees the traffic as coming from 10.3.3.88. But traffic from .123 to .88 fails unless I create a rule allowing traffic from .123 to .7.7.8. When I do this, traffic from .123 can pass directly to .7.7.8 without having to use the natted address (.88) at all.

I want to block traffic going directly to .7.7.8 and force any traffic for that host to use the natted address (10.3.3.88) only. How can I do this?

viragomann

@msmcknight
I'm wondering, what's the sense of doing this.

And I think, it might not be possible at all.
You have to allow access from 10.3.3.123 to 10.7.7.8. So despite of the NAT, 10.3.3.123 will be able to use either IP, natted and origin as well.

msmcknight

@viragomann I'm trying to simulate a customers network for troubleshooting an issue they are having. They have many more firewalls between the two hosts as traffic moves through their network. I was trying to reproduce it in a more compressed manner to save some time. Thank you for the quick reply.

viragomann

@msmcknight
With 10.3.3.88 assigned to pfSense and forwarding to 10.7.7.8 you should be able to access the host with 10.3.3.88. So this should be sufficient for testing, I think.

msmcknight

@viragomann Yes, it is, but in the customers environment they can't access the hosts native address from the 10.3.3 segment and I was hoping to replicate that limit as well.