Thursday, March 30, 2006

Q: If I set up a static address translation in one direction, do I need to create a matching rule for the other direction?

A:
On the address translation tab of the firewall policy, if I set up a static translation in one direction, do I need to create a matching rule to translate the return traffic back? If not, why do the "automatic" address translation rules do this? In other words: Rule #1: OrigSrc=any OrigDst=mywebserver public OrigPort=any XlatSrc=original XlatDst=mywebserver private XlatPort=original Must we create this second rule, as the automatic rules do? Rule #2 OrigSrc=mywebserver private OrigDst=any OrigPort=any XlatSrc=mywebserver public XlatDst=original XlatPort=original Seems to work fine without rule #2. So why do the automatic rules do this? working on it...

1 Comments:

Anonymous Anonymous said...

You do not need the second rule. The FW simply won't change the source of the traffic when the internal host creates a connection outbound. The inbound connections will still nat properly.

10:45 PM  

Post a Comment

<< Home