USG210: NAT-Loopback warning in log. Why?






I have a setting with several NAT port forwardings and loopback activated. Everything fworks fine but when I restart the device I have warnings about NAT configuartion as follows:
647 2019-12-24 10:13:16
info nat CONFIG CHANGE
NAT rule HTTP1 has been created.
648 2019-12-24 10:13:16
alert file-manage
WARNING: #configure terminal ip virtual-server HTTP1 interface wan1 source-ip WAN1_IP original-ip WAN1_IP map-to WebBox map-type original-service HTTP mapped-service HTTP nat-loopback, Original IP cannot be set to ANY while NAT-Loopback is activated because it might cause device unreachable.
The warning says that "Original IP cannot be set to ANY". But you also see that in fact the original-ip is WAN1_IP.
So why I do have that warning?
Accepted Solution
-
Hi @FrankLauer,
In reboot process, the interface is not ready and the check result hits the restriction "Original IP cannot be set to ANY". That's why it shows warning message when you use address object as the Original IP. After the device boots up completely, the interface is ready and the warning message doesn't appear any more.You can ignore the warning message.
Click this link to start: https://bit.ly/3R2Wx52
Emily5
All Replies
-
Hi @FrankLauer,
What is the firmware version on your USG210?
Can you share the screen shot of the warning message with us?
I use the firmware 4.35(AAPI.2) and create a NAT rule as follows. After the device reboots, there is only log "NAT rule test has been created."
Go to the NAT configuration page and there is no warning message.
Click this link to start: https://bit.ly/3R2Wx52
Emily0 -
Hi Emily,
I have the same firmware and the same NAT configuration as shown in your image.
But the warning is in the category 'File Manager' as priority alert (red).
After boot you may select this cat or cat 'all' and it should appear.
EDIT:
Ok, I found a difference. You are using a fix IP for 'External IP'. With this setting I also don't have an warning (I checked it now.)
But I use normally an address object for that, as recommended in various tutorials.
The adress object I call 'WAN1_IP' and it is of type INTERFACE IP to the interface wan1. With that setting I don't need to touch the NAT rule if the WAN address may change.
0 -
Thank you :)
0
Categories
- All Categories
- 190 Beta Program
- 1.7K Nebula
- 92 Nebula Ideas
- 63 Nebula Status and Incidents
- 4.7K Security
- 236 Security Ideas
- 1.1K Switch
- 51 Switch Ideas
- 919 WirelessLAN
- 28 WLAN Ideas
- 5.4K Consumer Product
- 173 Service & License
- 296 News and Release
- 65 Security Advisories
- 14 Education Center
- 1K FAQ
- 453 Nebula FAQ
- 258 Security FAQ
- 100 Switch FAQ
- 115 WirelessLAN FAQ
- 22 Consumer Product FAQ
- 67 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 52 Security Highlight