Help with Barracuda Firewall NAT

W

wizdum

[H]ard|Gawd
Joined
Sep 22, 2010
Messages
1,943
I work for a school that has a Barracuda x600 firewall, and have been trying to set up NAT between one of our spare IPs and an internal server for about 3 days now. The documentation seems to indicate that this is all that is needed: https://techlib.barracuda.com/bfw/dnatfwrule

We have a /26 public IP block, and only one IP is currently being used by the firewall. I'm hoping that someone here may have some experience with this device and can point me in the right direction. I'm not seeing anything in the logs, its like the traffic is not even making it to the firewall.

I did see a post that indicated that I might need to enable proxy arp, which I tried, but still no luck.
 
That's a DNAT rule. You need a SNAT Masquerade rule.

https://techlib.barracuda.com/display/blibv24/how+to+create+outbound+source+nat+rules

EDIT: Looks like that's for a barracuda load balancer. I only have a 310 Web Filter that is inline and not doing NAT so I can't tell you much. Personally I'd stick the Barracuda inline and let the router handle NAT OR use the Barracuda as a proxy server and set each client to use that via a PAC file or something similar.
 
Last edited:
The issue you are dealing with Wizdum is that a DNAT on the Barracuda is a port forward. You need to create the connection (which is an SNAT).

In column 2 you can see where it says "Connection". These are your SNATs on the public side so your Barracuda can respond to ARP requests and make an additional IP on your /26 block "active" and alive.

Per the documentation, you will want to do that here:

https://techlib.barracuda.com/BFW/ConnectionObjects

When you create the Connection object, it should be available as a Connection option for that public IP on the /26 for your DNAT to function.
 
Cmustang87 said:
The issue you are dealing with Wizdum is that a DNAT on the Barracuda is a port forward. You need to create the connection (which is an SNAT).

In column 2 you can see where it says "Connection". These are your SNATs on the public side so your Barracuda can respond to ARP requests and make an additional IP on your /26 block "active" and alive.

Per the documentation, you will want to do that here:

https://techlib.barracuda.com/BFW/ConnectionObjects

When you create the Connection object, it should be available as a Connection option for that public IP on the /26 for your DNAT to function.
Click to expand...

Thanks for the help, but still no luck. Prior to this I had tried creating a "NAT Object", which seems to do the same thing that you mentioned. It shows up under "connection objects" when creating the firewall DNAT rule. When I try it your way by manually adding the connection object, it still does not work.

I'm not seeing any traffic hit the firewall from my tests.

EDIT: I am now seeing SOME traffic. When I ping the external IP that I am trying to NAT to the internal server, I can see some dropped packets at the firewall (the number of entries in the firewall is less than the number of packets that I sent). They are listed as "ICMP Packet Belongs To No Active Session" with a source IP that matches the internal IP of the firewall, and a destination IP that matches the internal IP of the server.
 
Last edited:
Can you post a screenshot of your DNAT rule using the connection object? Just obfuscate the public IP. I'm curious as to what the issue is. I'm not a Barracuda expert, or really have worked with them much, but I have worked with a few of them.
 
Cmustang87 said:
Can you post a screenshot of your DNAT rule using the connection object? Just obfuscate the public IP. I'm curious as to what the issue is. I'm not a Barracuda expert, or really have worked with them much, but I have worked with a few of them.
Click to expand...

Actually, this was a case of PEBKAC. I unchecked PAT, and forgot to check the box for Proxy ARP again when I created the new connection object. I didn't notice until I was looking at the screenshot that I was about to post. Everything is working now.

Thanks again!
 
You must log in or register to reply here.
Back
Top