Cannot Translate Multiple Ports To A Single Host
CGoodwin
Newbie ✭
Unit is a TZ350 running SonicOS Enhanced 6.5.4.7-83n
A vendor is requiring that we translate and forward multiple ports from our single IP WAN to a single LAN device they control.
Example:
Inbound TCP 99999 -> 80 @ 192.168.1.2
Inbound TCP 99998 -> 81 @ 192.168.1.2
Inbound TCP 99997 -> 82 @ 192.168.1.2
etc. etc.
Adding the first forwarding with translation works as expected. I cannot add the NAT Policy for any of the subsequent translated forwardings, I receive "Error: Duplicate policy exists".
I have had zero luck digging up other reports of this exact use case, any help is appreciated.
Best Answer
-
CORRECT ANSWERCGoodwin
Newbie ✭
Correction on my part - I was receiving the Duplicate Policy error when trying to edit the Reflexive Policies.
I reviewed the PAT document again and realized that the Reflexive Policy is not correct by default, it will always set the Original Service to Any (creating a duplicate policy). It has to be edited to specify the Original Service as the LAN Service Object.
Thanks again for your assistance.
0
Answers
Hi @CGoodwin
I think you have a typing error since the TCP range is 0 to 65535. Please make sure you are selecting the correct service objects in your NAT policies, since your use case can be configured on the firewall without any issues. I am sharing a screen capture of a Gen7 device. Yes, it is a different firmware but the NAT functionality is the same. Let me know.
If your error isn't really about the port numbers [I cannot believe the firewall will let you add TCP port 99999 as a service] then it's something else about the policies that overlaps. Post some actual screenshots.
The firmware UI will not allow invalid TCP port numbers.
Thank you for responding. My ports were just an example (I know they were invalid).
Address Object
Service Objects
NAT Policies
Access Rules (I can't add the second rule; other than 80 these are "odd" ports, I don't see the overlap).
Thanks again.
And I know that I duplicated the HTTP Service (for naming convenience); using either made no difference, I receive no error when adding either of those first.
You have two of the inbound port translation NAT policies added, right? So what exactly are the parameters for the third one that you cannot add? If you carry on adding policies in the way you have then I don't see why there would be a problem.
On the WAN>LAN access rule, you can just add all the services to a service group so you only need a single rule. [It's not possible to do this with one NAT policy when you are translating port numbers; you can't translate one group of ports to another group of ports as it is ambiguous].
I did try using a Service Group, but I believe that was under NAT Policies versus Access Rules, and so I received a protocol mismatch error (even though they're all TCP). I'll test this now, thank you for your assistance. I'll report back shortly.