NAT on outgoing policy?



  • I have a netscreen 10 in route mode and I’m using MIP to map public IPs on the untrust to private IPs on the trust.  I have set up my imcoming policies and I have one outgoing policy that allows “inside any” to “outside any” with NAT enabled.  Everything is working great, except!  From any computer on the internal network, when I go to whatismyip.org, it shows the IP of the firewall.  This is causing a problem for me.  I want it to show the IP address that is the public MIP.  For example, I have a public IP of 216.26.163.240 MIP to 192.168.0.240.  The firewall IP is 216.26.163.209.  To the outside world, any traffic from any computer on my network appears to come from 216.26.163.209.

    I tried turning off NAT for the outgoing any  to any policy, but when I do that, my computers cannot talk to the internet.  Do I need to add a new route or is this possible?

    Thanks for ANY help you can provide.

    Tom



  • Spotgig,

    I’m not sure what code you are running but You should be able to put the interface that is in the untrust zone into route mode -

    set interface zzz route

    When you try initate an outboud connection from 192.168.0.240 - the outbound packet should leave with the MIP address.

    Is the request being permitted by policy 14 or denied by a different policy?

    try get log traff pol 14 when you attempt a connection.

    Also a debug will tell you what is happening,

    set cons dbuf
    set ff src-ip 192.168.0.240
    debug flow basic

    try the connection

    get dbuf stream

    Don’t forget to stop the debug afterwards - undebug all



  • thanks for the reply wilmac.

    All interfaces should be in routes mode

    I have the trusted interface set to Route mode.  There does not appear to be a way to set the Untrust interface to route mode.

    So the outgoing policy should be:  set pol id XX from trust to untrust any any any permit log

    My outgoing trust to untrust poilcy is:  set policy id 14 outgoing “Inside Any” “Outside Any” “ANY” nat Permit
    (The syntax is different on this because it’s an older OS.)  If I take out the NAT then I can still get IN from the internet but my computers cannot get OUT.  I’m using the web interface to make the change.  None of my incoming policies have nat enabled.

    Am I doing something wrong?



  • If you have a MIP on the untrust interface to an internal address - this is bi-directional.
    So the outgoing policy should be
    set pol id XX fron trust to untrust any any any permit log  - with no need to add nat because if you initiate a connection from the internal address above it will take the MIP on the way out.
    All interfaces should be in routes mode.


 

20
Online

38.4k
Users

12.7k
Topics

44.5k
Posts