DNAT Redirection Overview
Overview
The Redirect DNAT policy is a feature that has been available on the InstaGate for quite some time but has now been revamped with some interesting new features. These include objects for commonly used networks and IP address, new ways of including and excluding networks, and the ability to map return packets to a secondary IP address instead of just the WAN.
Configuration
The Redirect DNAT option is available by going to Firewall and selecting Firewall Policies.
To create a new policy, click Add, give the rule a name, and then choose "redirect" as the action. The Interface should be set to "WAN". It is recommended to leave logging disabled.
Under "Source", you are allowed to pick a predefined object or specify a network manually and choose whether this rule will include or exclude that particular source. Often this will be set to "ANY", meaning connections can come from any IP on the outside.
Under "Public Destination", you can again choose a predefined object or manually enter an IP address. This will usually be either the WAN IP or a secondary IP address assigned to the unit.
For "Private Destination", you will want to enter the IP address of the internal machine the connection is to be redirected to.
A new feature recently added is the "Redirect Source Address" option listed next. It allows you to map the return request to a secondary public IP address on the machine or just to the WAN IP (as is usually done). This is helpful in situations where you are accepting connections on a secondary IP address and would like the replies to also come from that secondary IP.
Choose "Use the Default NAT rule on the WAN IP for outgoing traffic" to map to the WAN IP, or "Map outgoing traffic from Private address *internal_address* to the external destination address *secondary_ip_address*" to map to a secondary IP address. (The available secondary IP addresses will show up here as options to select).
Lastly, choose the service(s) you wish to redirect by clicking the checkbox next to the corresponding service. Additional services can be added under Firewall > Custom Services.
Troubleshooting
If the redirect is not working, check the following:
- Verify all the settings for the firewall policy are correct. Make sure that the IP addresses are valid and working.
- Make sure that the internal workstation you are redirecting to has a gateway set up in the TCP/IP settings and that the gateway points to the InstaGate's LAN IP address.
- Verify nothing in front of the InstaGate (a router for instance) is answering for that port or IP before it gets to the InstaGate. This is especially common when using secondary IP addresses.
- Check to make sure the port you are redirecting to answers when you attempt to connect to it from the LAN side. If the port does not answer from the LAN side, you may be using the wrong port address or the service you are attempting to connect to may not be running properly on that machine.
You can also see if the policy is being blocked by another policy or by the firewall itself by looking at the firewall.log. This can be found via the Web Interface under Support and Diagnostics -> System Logs. Choose "Firewall" from the dropdown and then click on the link for the log you wish to view.
