Inbound NAT redirect question

jd3

Hi,

Have defined a source alias including several public/non-reserved networks. For the purpose of ICMP, that alias permits those networks to ping the WAN interface. I used that same alias to attempt to allow inbound TCP on 30030 including a redirect to an internal host listening to TCP on that same port.

I can see in the logs that the ICMP works (and can verify that from remote host). But I am unable to get the remote host to talk to TCP 30030. I see it in the logs as being dropped by the cleanup rule. Those packets are passing over a rule I created just for that purpose. So I'm thinking my understanding of how inbound NAT is intended to work is off.

I have the following rule configured (which isn't capturing the traffic):

IPv4 TCP, source of known networks (same alias mentioned above), all source ports, destination WAN interface on 30030.

And then in the NAT port forwarding section, I have the following:

WAN interface, TCP, source of known networks (same alias mentioned above), all source ports, destination WAN interface on 30030, NAT IP of internal object, NAT ports of 30030.

The machine I want to respond is in a DMZ. It has a valid NAT configured for it - it can access the internet ok.

What winds up coming up in the logs is this:

timedatestamp, WAN interface, cleanup rule (drops everything not specifically permitted above it), valid source IP including within ranges declared in the known networks alias (same alias as mentioned above), random source port, ip of internal host I'm trying to get the traffic to, port 30030, TCP:S.

So it's somehow not processing the traffic higher in the list of rules on the WAN interface. Or at least that's what it looks like to me??

I think that explains it... if there are questions, I can provide screen shots.

Thanks much!
BB

jd3

OK, solved it myself: WAN interface rule needed to specify IP&port of internal (NATted) host. Changed that. Traffic passes.

Thanks!