Internal/External Access
Morning All,
Been smashing my head against a wall with this one for a little while now, thought I'd reach out for some help.
We have a CCTV system that can be accessed from the Web by using a SNAT rule to direct the Hikvision ports to it, works fine.
What doesn't work is accessing the CCTV via it's external IP address whilst within the network, using the Hikvision App.
Tried a few things from old forum threads but still none the wiser:
- Network>NAT> New Dynamic NAT rule that takes any traffic from the Internal VLAN to the external IP of the network and set the source IP to that of the WatchGuard - this is inline with what Bruce_Briggs posted here.
- I also have the following rule implemented which goes from my Internal VLAN to the SNAT rule, listed here
As mentioned before neither seem to be working but only on the Hikvision app, any ideas would be greatly appreciated - maybe this is better suited on a Hikvision forum as it does seem the rules are working...?
Jack
0
Sign In to comment.
Comments
Use NAT loopback.
NAT Loopback and Static NAT (SNAT)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html
Thanks Bruce, I have that rule in place already - sorry, should have said!
Have you tried looking at your outbound rules / proxies to make sure something like DPI isn't interfering with the connection?
Even with a NAT Loopback rule you have to go out before you come back in.
It's usually something simple.
Make sure that your NAT loopback policy is using a packet filter and not a proxy.
And make sure that it is above the existing incoming policy.
You can do packet captures on the firewall using TCP Dump, which may show something to help.
See the TCP Dump and the "About TCP Dump Arguments" sections here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
Definitely a packet filter.
'Twas not above the incoming policy, I've changed that now, will get it tested and see! Hopefully it is as simple as my policy ordering...