Support Center > Search Results > SecureKnowledge Details
Connection from a Client to a Server does not work when both Client and Server are NATed behind the same Security Gateway configured as Proxy
Symptoms
  • Connection from a Client NATed behind the Security Gateway configured as Proxy to an IP address that is NATed behind the same Security Gateway does not work.

    Topology:
    Client is NATed behind Security Gateway --- [Security Gateway configured as Proxy] --- Server is NATed behind Security Gateway

Cause

The current Security Gateway infrastructure performs NAT of "Client Side" or NAT of "Server Side".

When a request to the Security Gateway configured as Proxy is made by a client, the Security Gateway resolves the IP address of the requested domain using the configured DNS server.

If the resolved IP address is an external IP address that is NATed by the Security Gateway, then the connection to that IP address is opened by the Security Gateway. Since there is no NAT on the client's outgoing connection, and the server is NATed by the Security Gateway, the packet leaves the external interface of the Security Gateway and never reaches the NATed destination.

This is expected behavior by design.

Note: The issue is relevant in the following conditions:

  1. The clients are using the Security Gateway as a Proxy.
  2. The destination servers are NATed by the Security Gateway.
  3. The DNS server configured on Security Gateway replies with the NATed IP address of the server.

Solution

There are two possible solutions for the issue:

  • Either add a static host entries for Client and Server in the /etc/hosts file on the Security Gateway.

  • Or disable the Client Side NAT (in SmartDashboard - go to 'Policy' menu - click on 'Global Properties...' - go to 'NAT - Network Address Translation' - clear the boxes 'Translate destination on client side' - install policy).

    Warning: This solution has a wide impact on the NAT behavior of all traffic.
    For additional information, refer to sk85640.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment