Match default rule, DNAT Packet, DROP

Hoygen83
Hoygen83 Posts: 21  Freshman Member
First Comment Second Anniversary
edited April 2021 in Security

I just deployed an ATP200 and upgraded his firmware to the V4.35(ABFW.3)

Then I made a nat rule:

from public_ip port xxxx translate to internal_ip port yyyy

I made the relevant security policy:

from wan1 to internal_ip port xxxx allow

I keep getting "Match default rule, DNAT Packet, DROP"

How can I troubleshoot using the web console or the tools inside the firewall and see why DNAT is failing?

Also I would troubleshoot if It is missing a route, or pat (port address translation) is failing or nat (network address) is failing.

Accepted Solution

All Replies

  • Hoygen83
    Hoygen83 Posts: 21  Freshman Member
    First Comment Second Anniversary

    Trying to troubleshoot the message: "Match default rule, DNAT Packet, DROP"

    i edited the security policy that now is.

    from wan to internal_ip allow all

    and the log message changed, now it is:

    priority:1, from WAN to ANY, TCP, service others, DNAT Packet, ACCEPT

    but if i telnet to public_ip xxxx i still get impossible to get connection.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @Hoygen83

    You can check if the telnet service is enabled on the device.

    Go to Configuration > System > TELNET > enable the telnet, and try to telnet again

    image001-red.png


  • Hoygen83
    Hoygen83 Posts: 21  Freshman Member
    First Comment Second Anniversary

    thanks the service is up.

    But still i have the issue.

  • tag2103
    tag2103 Posts: 1  Freshman Member
    First Comment Friend Collector
    @Hoygen83
    I was having the same issue on a USG60 with a simple SSH configuration. I kept getting the same DNAT error. In my case I changed the IPv4 Source from a Geo_filter to "any" and the ssh traffic could then flow. @Zyxel_Jerry is this expected behavior? Why does a geographic filter cause the DNAT to fail?


    if activated here:

    results in:


    Whereas if policy is as such:

    results in:

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @tag2103
    Have you checked your public IP address on GeoIP page of device?

    For your description, it seems the Public IP does not belong in US country, so the session will be drop.
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Is Content Filter license enabled? 

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)