Hot!Policy Object "Service" setting for Virtual IP Port forwarding...

Author
tplau
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/24 23:48:24
  • Status: offline
2020/11/25 00:08:51 (permalink) 5.6
0

Policy Object "Service" setting for Virtual IP Port forwarding...

Hi all, I encountered the following situation and would like to understand more the mechanism behind.
 
I am setting up Virtual IP port forwarding and IPv4 policy object, such that I can ssh to private machine from public IP, for example,
 
public_ip:22099 -> private_pc099:22
 
When checking the tutorial in setting up the IPv4 policy object, the guideline tells us to set the "Service" to ALL (or ANY), as the port forwarding rule in Virtual IP object will only forward the port 22099 to 22. While I can achieve the ssh purpose successfully for setting ALL for service, as an experiment, I created explicitly the port 22099 as a new Service object, then assign the 22099 service in the IPv4 Policy object's Service attribute. Then I cannot SSH to public_ip:22099 -> private_pc099:22. But if I set SSH as the service in IPv4 Policy object, the SSH connection can be made successfully.
 
So if the above situation is expected, may I understand more the mechanism behind, for example, why I need to set the service to SSH (22) instead of Service_22099?
 
Thanks a lot for any comments.
Regards,
 
Patrick
 
#1

2 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6411
    • Scores: 551
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Policy Object "Service" setting for Virtual IP Port forwarding... 2020/11/25 04:24:13 (permalink)
    0
    hi,
     
    and welcome to the forums.
    The explanation is quite simple:
    a VIP does DNAT. NAT is done before matching the policy. So the service field in the policy needs to match the translated port.
    There is a document about this, "Life of a packet" IIRC, which explains the flow of data and operations.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    tplau
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/11/24 23:48:24
    • Status: offline
    Re: Policy Object "Service" setting for Virtual IP Port forwarding... 2020/11/25 19:29:33 (permalink)
    0
    ede_pfau
    hi,
     
    and welcome to the forums.
    The explanation is quite simple:
    a VIP does DNAT. NAT is done before matching the policy. So the service field in the policy needs to match the translated port.
    There is a document about this, "Life of a packet" IIRC, which explains the flow of data and operations.




    Thanks a lot for the explanation :)
    #3
    Jump to:
    © 2021 APG vNext Commercial Version 5.5