DNAT failed to work

|
  • 338
  • 10

Issue Description

Configured a DNAT policy but found that the IP can be ping but not able to access.

Handling Process

1. Check the policy and found that the policy doesn't have Hit Count, which means the traffic is not hitting the policy.
2. Check the Src Zone is the specific WAN zone where the public IP is located.
3. Check on the DNAT policy, and verify the Destination IP is configured on the device's WAN interface. (If the public IP is not configured on the WAN interface, add the IP to the WAN interface)
305946273258591b24.png 55463627325e74442e.png
4. Check the Services, found that it's using a custom service.
5. Go to Objects > Services > Custom Services, click on the service name and check the configuration.
61906627327079df89.png
6. Found that the Src Port is specified as 4433 port. In this case, only allow Source PC to use its 4433 port to access the server's 4433 which will cause other source ports is not able to match the policy.
7. Change the Src Port to all ports (0-65535) as figure below
79912627327d11a88a.png
8. Check the DNAT policy's Translate details, make sure the Translate IP Address, and Port To are the correct server IP and port.
9. Make sure the NGAF is able to telnet the server port. (If telnet failed, check the port is listening or not, else will need to check the connection between NGAF and the server)
10. Make sure the DNAT policy chose Add ACL policy automatically so that Application Control policy will not block the policy.
11. Save the policy, try accessing the server through public IP, and found that it is able to access(The policy got hit count in this case).
4193762732aa87b30d.png

Root Cause

The policy used a Custom Services but the custom service's Src Port is specified to 4433, cause the user cannot use other port to access the server. (Most of the PC will use the random port to access unless the application used to access is specified to a source port)

Solution

Change the Custom Service Src Port to all port(0-65535)
Raza Islam Lv3Posted 08 Jun 2022 19:24
  
Thanks for sharing.
Newbie191628 Lv3Posted 14 Jun 2022 09:59
  
Thanks for sharing
Raja Azkar Lv2Posted 15 Jun 2022 20:51
  
Thanks for sharing
Raza Islam Lv3Posted 19 Jul 2022 19:37
  
thanks for command.
Naghmana Lv1Posted 20 Aug 2022 14:07
  
Tanks for the update
Faisal P Lv8Posted 16 Sep 2022 23:46
  
Thank you very much for the information ...
Faisal P Lv8Posted 16 Sep 2022 23:46
  
Nice article ...
Faisal P Lv8Posted 16 Sep 2022 23:46
  
Great info ...
Faisal P Lv8Posted 16 Sep 2022 23:47
  
Very informative ...

I want to write a case
Doc ID: 6035
Author: KY
Updated: 2022-05-09 14:50
Version: