USG210: NAT-Loopback warning in log. Why?

FrankLauer
FrankLauer Posts: 50  Ally Member
First Comment First Answer Friend Collector Fourth Anniversary
edited April 2021 in Security

I have a setting with several NAT port forwardings and loopback activated. Everything fworks fine but when I restart the device I have warnings about NAT configuartion as follows:


647 2019-12-24 10:13:16                                            


   info              nat                  CONFIG CHANGE                                 


   NAT rule HTTP1 has been created.


648 2019-12-24 10:13:16                                            


   alert             file-manage                                                          


   WARNING: #configure terminal ip virtual-server HTTP1 interface wan1 source-ip WAN1_IP original-ip WAN1_IP map-to WebBox map-type original-service HTTP mapped-service HTTP nat-loopback, Original IP cannot be set to ANY while NAT-Loopback is activated because it might cause device unreachable.


The warning says that "Original IP cannot be set to ANY". But you also see that in fact the original-ip is WAN1_IP.


So why I do have that warning?

Accepted Solution

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,385  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @FrankLauer,

    What is the firmware version on your USG210?

    Can you share the screen shot of the warning message with us?

    I use the firmware 4.35(AAPI.2) and create a NAT rule as follows. After the device reboots, there is only log "NAT rule test has been created."

    Go to the NAT configuration page and there is no warning message.

  • FrankLauer
    FrankLauer Posts: 50  Ally Member
    First Comment First Answer Friend Collector Fourth Anniversary
    edited December 2019

    Hi Emily,

    I have the same firmware and the same NAT configuration as shown in your image.

    But the warning is in the category 'File Manager' as priority alert (red).

    After boot you may select this cat or cat 'all' and it should appear.


    EDIT:

    Ok, I found a difference. You are using a fix IP for 'External IP'. With this setting I also don't have an warning (I checked it now.)

    But I use normally an address object for that, as recommended in various tutorials.

    The adress object I call 'WAN1_IP' and it is of type INTERFACE IP to the interface wan1. With that setting I don't need to touch the NAT rule if the WAN address may change.

  • FrankLauer
    FrankLauer Posts: 50  Ally Member
    First Comment First Answer Friend Collector Fourth Anniversary

    Thank you :)

Security Highlight