Management Profile on Public Loopback IP not Working with Shared Gateway
Resolution
Symptoms
A loopback interface was configured with a public IP addres to be used to connect to the management interface as the VSYS shared gateway is also used in destination NAT rules. Port 443 is redirected to internal web servers so attempting to create a management profile for that IP address would cause conflicts.
When attempting to connect to the loopback's IP address, the connection does not work.
Issue
When a firewall is configured with a VSYS shared gateway, it is not possible to specify a source zone for address translation rules. Trying to access the management GUI by connecting to a loopback interface configured with a public IP does not work because the connection will hit the outbound NAT rule and will translate the packet to the shared gateway's IP address.
Resolution
Create the following NAT rule and place it at the top of the NAT policy
- Source: Untrust zone
- Destination: Untrust zone
- Destination IP: Loopback IP address
- Translated packet: None
owner: jteetsel