NAT Loopback help

I configured SNAT:
public ip -> internal ip
and created a firewall policy so the server can be accessible from the outside.

From TO
Any-External, Any-Trusted, Any-Optional (SNAT) public ip -> internal ip

Ports: 80 TCP, 443 TCP, 8887 TCP, 8889 TCP

From the outside, the IP is accessible.
I followed this guide https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html to enable NAT Loopback but I still can't access it from my LAN.
Did I miss something here? Any suggestions?

Answers

  • For the record, what firewall model do you have and what Fireware version is it running?

    Turn on Logging on this policy and look at Traffic Monitor to see what shows when you try this from an internal device.
    It should show the NATing source and dest IP addrs, such as this:
    src_ip_nat="10.0.1.1" dst_ip_nat="10.0.1.2"
    If you do see such a log message, then you need to look at the dest device to see why it is not sending reply packets back to the firewall IP addr.

  • Thank you for your reply.

    It's a M200 with v12.1.
    Logging is enabled for the policy.

    In Traffic Monitor I see this:

    2022-10-26 14:53:07 Allow MyIP PublicIP https/tcp 53332 443 1-Intranet 100-OfficeNet Allowed 64 62 (Incoming - 5G onderzoeksproject-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="InternalIP" tcp_info="offset 11 S 1583215469 win 65535"
    

    In the logs I see this:

    FWAllow, Allowed, pri=4, disp=Allow, policy=Incoming---5G-onderzoeksproject-00, protocol=https/tcp, src_ip=MyIP, src_port=53402, dst_ip=PublicIP, dst_port=443, dst_ip_nat=LANIP, src_intf=1-Intranet, dst_intf=100-OfficeNet, rc=100, pckt_len=64, ttl=62, pr_info=offset 11 S 3624931839 win 65535, 3000-0148
    

    So nothing gets denied according to the logs/traffic monitor.
    In the browser I get "the connection has timed out" after a while.
    It's only a problem if I try to browse to it's PublicIP or url from our local network, I can access it without a problem from it's internal IP.

  • I am not aware of any NAT loopback issues for V12.1

    Since you are running V12.1, you really should use the V12.1 version of the Fireware Help, which is here:
    https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/_Fireware_intro/fireware_help_front.html

    I don't see any real difference in the NAT Loopback section for V12.1 documentation compared to the current doc version.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @zappit

    You should consider upgrading your firewall to at least v12.5.9 update 2, due to the cyclops blink issue. The version you are currently running is potentially susceptible to this issue. You can upgrade to 12.5.9 update 2 even if your device does not have a support contract.

    You can read more at detection.watchguard.com.

    You can find that version at the bottom of the page here:
    https://software.watchguard.com/SoftwareDownloads?familyId=a2RF00000009dnQMAQ

    -James Carson
    WatchGuard Customer Support

  • What is the interface type set to "Intranet" ? Trusted?
    What happens if you add "Intranet" to the From: field of this policy?

  • Forget that - if "Intranet" wasn't a Trusted or Optional type, the packet wouldn't be allowed.

    Perhaps the firmware upgrade will resolve this.

    One can do packet captures on a firewall interface using TCP dump, which may show something to help.
    Also one can do packet captures on your web server.

    Is there anything on the web server which would block packets from your firewall's public IP addr?

Sign In to comment.