One to one nat bounces rules to different boxes

  • I may have this configured entirley wrong, and this is causing my issues.

    built on Thu May 6 06:50:34 EDT 2010

    What I have
    a /28 assigned by my isp

    Under Virtual IP's I have the /28 listed as a proxy arp

    Then i have One to One NAT listings for each external ip that i want routed inside

    I created aliases for the servers that i want to pass traffic to (SSH, RDP, SMTP, www)
    these aliases were created for both the external address in /32 and the internal addresses /32 per host
    (sshint, sshext, rdpint, rdpext, etc)

    I then created port forward rules under nat for each group so say interface wan protocol tcp sourcs any dest sshext port ssh redirect target ip sshint port ssh description ssh in.

    (this is the same for all aliases that i want to forward ports to. )

    What i am experiencing is that say i rdp from the outside to one external ip of the three that i have assigned i may go to another server. I then close that connection and try to rdp into that same ip then i will get the machine i want to rdp to.

  • For the redirection target of the port forward, are you using an alias that contains multiple IP addresses?  If so, I think that would cause the behavior you are seeing.  It is probably picking a different one of the targets each time you connect.  If you already have 1:1 mappings set up for the machines, you don't need port forwards unless you are trying to change the port number on a connection or override the 1:1 mappings for specific ports, since the ports will already be forwarded by the 1:1 mappings.  Add firewall rules instead for the ports you want to let through.

    If you are just adding the port forwards so you can use NAT Reflection, you could try enabling the new NAT Reflection for 1:1 NAT option instead, if you are using a newer snapshot that has it.

  • Correct i have aliases setup for the different ip addresses.

    So when using 1:1 nating i dont need the port forward functionality, just create a wan firewall rule for traffic to the 1:1. Im assuming the VIP setup is still needed.

    Another note: will this correct an issue im having with icmp not responding to the ip addresses?

  • From inside the network or into your network from the outside?

  • From the outside to the ip address that i have 1:1

  • The 1:1 mappings should take care of the address translation for any traffic.  You just need firewall rules to let the traffic through that you want to go through.  Note that the destination used in the firewall rules on WAN will likely be the internal address and not the external address that is mapped to it, because firewall rules apply after translation, not before.

Log in to reply