Nat Loopback not Working

ticsystems
ticsystems Posts: 52  ZCNE Certified
First Anniversary ZCNE Security Level 1 Certification - 2020 10 Comments Nebula Gratitude
Hello!
I have an ATP700 behind DMZ and Nat LoopBack is not working.












If my public ip is set to External it doesn't work.

I have added security policy.
Thanks!

Accepted Solution

  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Your ISP router would have to do NAT Loopback of your WAN IP.

    The way NAT Loopback works is say your LAN PC has 192.168.1.2 and you want to go to your WAN IP to loopback to server PC 192.168.1.3 with your NAT rule with loopback to a port.

    As your WAN IP is not the WAN IP NAT loopback can't loopback because your WANIP is 172.26.10.245 which is not the WAN IP your going too.


«1

All Replies

  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2021

    How can it work if you don't give your WAN interface the WAN IP

    If you put in 172.26.10.245 then it will loop back to the port on the LAN 

    have you done a from LAN to LAN rule?


  • ticsystems
    ticsystems Posts: 52  ZCNE Certified
    First Anniversary ZCNE Security Level 1 Certification - 2020 10 Comments Nebula Gratitude
    PeterUK said:

    How can it work if you don't give your WAN interface the WAN IP

    If you put in 172.26.10.245 then it will loop back to the port on the LAN 

    have you done a from LAN to LAN rule?



    Hello Peter.
    I don't have create a lan to lan rule.

    My ISP Redirect all ports to 172.26.10.245 (ge2 Atp700)
    If I add the object with my public IP in "External IP" the ports are not open.

    If I add the object "interface IP" (172.26.10.245)
    in "internal ip" the ports are open but nat loopback does not work.

    If I delete any object in "Internal ip" and add any. The ports are open.

    What do I have to add so that my firewall knows what my Public IP is and works?
  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Your ISP router would have to do NAT Loopback of your WAN IP.

    The way NAT Loopback works is say your LAN PC has 192.168.1.2 and you want to go to your WAN IP to loopback to server PC 192.168.1.3 with your NAT rule with loopback to a port.

    As your WAN IP is not the WAN IP NAT loopback can't loopback because your WANIP is 172.26.10.245 which is not the WAN IP your going too.


  • ticsystems
    ticsystems Posts: 52  ZCNE Certified
    First Anniversary ZCNE Security Level 1 Certification - 2020 10 Comments Nebula Gratitude
    edited December 2021

    Thank's Pete

    I am not used to working behind DMZ. I usually work with Public IP on my ATP WAN.

  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2021

    A feature you could put in ideas is to add other IP/FQDN to NAT loopback for.


  • ticsystems
    ticsystems Posts: 52  ZCNE Certified
    First Anniversary ZCNE Security Level 1 Certification - 2020 10 Comments Nebula Gratitude
    PeterUK said:

    A feature you could put in ideas is to add other IP/FQDN to NAT loopback for.



    PeterUK dijo:

    Su enrutador ISP tendría que hacer NAT Loopback de su IP WAN.

    La forma en que funciona NAT Loopback es decir que su PC LAN tiene 192.168.1.2 y desea ir a su IP WAN para hacer un loopback a la PC servidor 192.168.1.3 con su regla NAT con loopback a un puerto.

    Como su IP de WAN no es la IP de WAN, el bucle de retorno de NAT no puede realizar un bucle de retorno porque su WANIP es 172.26.10.245, que no es la IP de WAN a la que va también.


    PeterUK dijo:

    Su enrutador ISP tendría que hacer NAT Loopback de su IP WAN.

    La forma en que funciona NAT Loopback es decir que su PC LAN tiene 192.168.1.2 y desea ir a su IP WAN para hacer un loopback a la PC servidor 192.168.1.3 con su regla NAT con loopback a un puerto.

    Como su IP de WAN no es la IP de WAN, el bucle de retorno de NAT no puede realizar un bucle de retorno porque su WANIP es 172.26.10.245, que no es la IP de WAN a la que va también.


    I don't understand. An FQDN with my WAN ip 172.26.10.245?
  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2021
    PeterUK said:

    A feature you could put in ideas is to add other IP/FQDN to NAT loopback for.




    I don't understand. An FQDN with my WAN ip 172.26.10.245?
    But 172.26.10.245 is not your true WAN IP so if your WAN IP is 5.2.2.2 you put that in NAT loopback even if the WAN IP is 172.26.10.245 it will loopback for 5.2.2.2 your true WAN IP

    something like this:

  • ticsystems
    ticsystems Posts: 52  ZCNE Certified
    First Anniversary ZCNE Security Level 1 Certification - 2020 10 Comments Nebula Gratitude
    PeterUK said:
    PeterUK said:

    A feature you could put in ideas is to add other IP/FQDN to NAT loopback for.




    I don't understand. An FQDN with my WAN ip 172.26.10.245?
    But 172.26.10.245 is not your true WAN IP so if your WAN IP is 5.2.2.2 you put that in NAT loopback even if the WAN IP is 172.26.10.245 it will loopback for 5.2.2.2 your true WAN IP

    something like this:

    Hy Peter. Happy new year!

    This option does not appear in ATP. Is there any way for it to appear?
  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Its a mock-up of whats needed you have to put it in ideas

    Another way that should work is by DNS in the ATP to have your domain point to the internal IP of the server.


  • PeterUK
    PeterUK Posts: 2,656  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2022

    Doing a test you might be able to get NAT loopback work if your WAN IP is static all you have to do is make another NAT rule with the same setting and put in your real External WAN IP even if it not on the ATP interface.

Security Highlight