| Follow me on:

PDF Download    Send article as PDF to   

McAfee Firewall – NAT mapping

December 28th, 2011

While testing a McAfee Enterprise Firewall running software 8.2.0, I had some problems with the creation of a NAT mapping. The firewall is configured as standalone firewall. All (NAT / access rule) configuration on the firewall is done using Access Control Rules. McAfee uses two types of NAT mapping:

  1. 1. NAT: mostly used to translate a private IP address to a public IP address;
  2. 2. Redirect: redirect traffic to a public IP address to a private IP address;

I tried to publish an internal network component to the internet. I created a simple rule with the following parameters. These parameters are very straightforward and the configuration is similar to firewalls from different vendors:

Application: SSH Source Zone:
external		 Destination Zone:
external
  Source Endpoint:
Any		 Destination Endpoint:
Public IP address
  NAT address:
None		 Redirect:
Private IP address

 

I tested the NAT mapping, but couldn’t connect to the internal component using the public IP address. The first step in troubleshooting is looking at the logging, but I couldn’t find any logging on the firewall. It looked like the traffic didn’t even reach the firewall.

We have a shared internet segment with multiple firewalls. So I started doubting the configuration of the different firewalls.

  • Was somebody already using the public IP address in a NAT configuration?
  • Has the default gateway of the internet segment already an ARP entry for the public IP address?

I looked at the configuration of the firewalls, but nobody was using the public IP address. With this in mind, I ruled out the ARP entry “problems” on the ISP router.

When using NAT on a public IP address, which isn’t the same as the interface IP address, the firewall has to proxy ARP the public IP address. So does the firewall proxy ARP for the public IP address?

I started looking at the rest of the configuration with emphasis on the network configuration. I noticed that I had the option to add an alias IP address to the external interface. This can be found under Network – Interfaces – external interface. I added the public IP address as alias.

You guessed it. The NAT mapping is working……

René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, HP Networking, Juniper Networks, RSA, PaloAlto Networks, Microsoft and many more. René is CCNA (Routing & Switching, Security), CCNP , Cisco ASA Specialist and CEFFS certified. You can follow René on Twitter and LinkedIn.
René Jorissen
View all posts by René Jorissen
Company website

Related Articles

Leave a Reply

  • my Tweetz

    • @robmaaseu @aerohive has good features, especially the ppsk is very nice. #byod and mobile users need some more attention in the future 3 hrs ago
    • @robmaaseu @aerohive I do like it, but I miss some functionalities, like auth. fall through, bandwith control per ssid and some more 3 hrs ago
    • Just built another @AeroHive environment with different ssid's, PPSK groups and captive portal designs 4 hrs ago
    • @Aerohive sent me a mail to view last weeks UltraLight Branch Webinar, but I get a "404 Not Found"........ 12 hrs ago
    • @mramsmeets they are for MDM. ClearPass is for secure access to the wifi environment, especially for guest access and #BYOD 16 hrs ago
    • More updates...

    Powered by Twitter Tools