Q: If I set up a static address translation in one direction, do I need to create a matching rule for the other direction?
A: On the address translation tab of the firewall policy, if I set up a static translation in one direction, do I need to create a matching rule to translate the return traffic back? If not, why do the "automatic" address translation rules do this?
In other words:
Rule #1:
OrigSrc=any
OrigDst=mywebserver public
OrigPort=any
XlatSrc=original
XlatDst=mywebserver private
XlatPort=original
Must we create this second rule, as the automatic rules do?
Rule #2
OrigSrc=mywebserver private
OrigDst=any
OrigPort=any
XlatSrc=mywebserver public
XlatDst=original
XlatPort=original
Seems to work fine without rule #2. So why do the automatic rules do this?
working on it...
1 Comments:
You do not need the second rule. The FW simply won't change the source of the traffic when the internal host creates a connection outbound. The inbound connections will still nat properly.
Post a Comment
<< Home