NAT Loopback help
I configured SNAT:
public ip -> internal ip
and created a firewall policy so the server can be accessible from the outside.
From | TO |
---|---|
Any-External, Any-Trusted, Any-Optional | (SNAT) public ip -> internal ip |
Ports: 80 TCP, 443 TCP, 8887 TCP, 8889 TCP
From the outside, the IP is accessible.
I followed this guide https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html to enable NAT Loopback but I still can't access it from my LAN.
Did I miss something here? Any suggestions?
0
Sign In to comment.
Answers
For the record, what firewall model do you have and what Fireware version is it running?
Turn on Logging on this policy and look at Traffic Monitor to see what shows when you try this from an internal device.
It should show the NATing source and dest IP addrs, such as this:
src_ip_nat="10.0.1.1" dst_ip_nat="10.0.1.2"
If you do see such a log message, then you need to look at the dest device to see why it is not sending reply packets back to the firewall IP addr.
Thank you for your reply.
It's a M200 with v12.1.
Logging is enabled for the policy.
In Traffic Monitor I see this:
In the logs I see this:
So nothing gets denied according to the logs/traffic monitor.
In the browser I get "the connection has timed out" after a while.
It's only a problem if I try to browse to it's PublicIP or url from our local network, I can access it without a problem from it's internal IP.
I am not aware of any NAT loopback issues for V12.1
Since you are running V12.1, you really should use the V12.1 version of the Fireware Help, which is here:
https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/_Fireware_intro/fireware_help_front.html
I don't see any real difference in the NAT Loopback section for V12.1 documentation compared to the current doc version.
Hi @zappit
You should consider upgrading your firewall to at least v12.5.9 update 2, due to the cyclops blink issue. The version you are currently running is potentially susceptible to this issue. You can upgrade to 12.5.9 update 2 even if your device does not have a support contract.
You can read more at detection.watchguard.com.
You can find that version at the bottom of the page here:
https://software.watchguard.com/SoftwareDownloads?familyId=a2RF00000009dnQMAQ
-James Carson
WatchGuard Customer Support
What is the interface type set to "Intranet" ? Trusted?
What happens if you add "Intranet" to the From: field of this policy?
Forget that - if "Intranet" wasn't a Trusted or Optional type, the packet wouldn't be allowed.
Perhaps the firmware upgrade will resolve this.
One can do packet captures on a firewall interface using TCP dump, which may show something to help.
Also one can do packet captures on your web server.
Is there anything on the web server which would block packets from your firewall's public IP addr?