NAT loopback from optional back to optional again

vbuk

Some of the smaller HPE Proliant servers don't have a dedicated iLO (Management) port, they share the LAN port with the iLO. This all works fine except the server itself cannot access the iLO because it's like a loopback issue. The server and the iLO each have their own IP address, and the iLO can be accessed from any other host on the subnet ok.

I had a theory that I could NAT loopback off the Firebox interface. So, from the server I could query the address <firebox.optional.interface.ip> and this would NAT it back to <hpe.ilo.interface.address>. To be clear, these are both in the same subnet on the same eth port on the Firebox.

So I added a policy with a SNAT to do this:

FROM: <hpe.server.address>
TO: SNAT: <any.optional> --> <hpe.ilo.interface.address>

And I just get this in the log:

Allow <hpe.server.address> <firebox,optional.interface> cmip-man/udp 53838 163 <optional.network> <external.interface> Allowed 69 127 (SNMP.loopback.to <hpe.server.ilo>-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat=<firebox.external.interface> dst_ip_nat=<hpe.ilo.interface.address> dst_port_nat="161" Traffic

So, it's kind of working but I think it it doing the NAT using the firebox external interface IP which is not going to work.

Have I just got something a bit wrong on the SNAT or am I asking the impossible?

Thanks!

Bruce_Briggs

So it doesn’t work?
Access to/from the same subnet won’t go via the firewall, so this seems like it should work

vbuk

Bruce, the theory I had in my head was this. Lets say my server is 10.0.0.1, and the iLO is 10.0.0.5. I wanted to point my server browser at the firebox, call that 10.0.0.254 on port 4433. The firebox would then SNAT this to 10.0.0.5 on 443. The policy rule and SNAT is firing ok, so I was thinking the iLO would 'see' the connection as coming from 10.0.0.254 and I could connect.

I'm the first to admit I may be trying something here that is just not possible.

vbuk

Bruce - I think I may have got it working now - just a bit of fat fingers on my part I think...

Bruce_Briggs

The above is using NAT loopback which goes via the external IP addr.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html

I can't think of another way to do what you want.

I can access resources with other IP addrs on my PC, such as Dimension.
No idea why this doesn't work on your server.