Support Center > Search Results > SecureKnowledge Details
NAT rule installed on cluster does not hide the Source IP address behind the configured IP address if the packet is sent to Cluster VIP address
Symptoms
  • NAT rule on cluster does not translate the Source IP address in the following scenario:

    1. Topology:
      [Some Host #1] --(some network)-- ethX [Cluster] ethY {Host #3} --(some network)-- [Some Host #2]
      Traffic from Host #1 towards Host #2 has to be hidden behind some IP address (represented as Host #3)
      Example: Connecting with SmartConsole GUI clients through Cluster to Security Management Server

    2. The following NAT rule was defined:

      ORIGINAL PACKET TRANSLATED PACKET INSTALL ON
      SOURCE DESTINATION SERVICE SOURCE DESTINATION SERVICE
      Host #1 Host object
      that represents
      Cluster
      VIP address
      on ethX
      Some
      Service
      Host #3 Host #2 = Original Cluster object
    3. The packet is sent from Some Host #1 to Cluster VIP address defined on ethX.

    4. Only the Destination IP address is NATed.

  • NAT rule on cluster does not translate the Source IP address in the following scenario:

    1. Topology:
      [Some Host #1] --(some network)-- ethX [Cluster] ethY --(some network)-- [Some Host #2]
      Traffic from Host #1 towards Host #2 has to be hidden behind Cluster VIP address (defined on cluster's ethY)
      Example: Connecting with SmartConsole GUI clients through Cluster to Security Management Server

    2. The following NAT rule was defined:

      ORIGINAL PACKET TRANSLATED PACKET INSTALL ON
      SOURCE DESTINATION SERVICE SOURCE DESTINATION SERVICE
      Host #1 Host object
      that represents
      Cluster
      VIP address
      on ethX
      Some
      Service
      Host object
      that represents
      Cluster
      VIP address
      on ethY
      Host #2 = Original Cluster object
    3. The packet is sent from Some Host #1 to Cluster VIP address defined on ethX.

    4. Only the Destination IP address is NATed.

Cause

When a packet is sent to Cluster VIP address, an internal NAT is performed (Fold) to translate the Destination IP Address from Cluster VIP address to Physical IP address of the relevant cluster member.
This internal cluster NAT currently does not perform any NAT on the Source IP address.


Solution
Note: To view this solution you need to Sign In .