No announcement yet.

firewall policy not allowing traffic

  • Filter
  • Time
  • Show
Clear All
new posts

  • firewall policy not allowing traffic

    Hi guys,

    I am very new to GTA firewall. I inherited a GTA firewall.

    Recently I configured direct connect between a GTA 2000x (running GBOS 5.4) to a Cisco ASA. The network topology is following:


    Source network (Cisco ASA):
    Destination network (GTA 200X):
    Protocol: Any

    Packet tracer result on the Cisco ASA show traffic is allowed from testPC-B to testPC-A

    Security policy logs on the GTA 2000X is showing the following:

    Sep 28 17:06:12 pri=4 pol_action=block count=6 msg="Invalid NAT request" duration=9 proto=80/tcp src= srcport="55518 (3), 55519 (3)" dst= dstport=80 interface="SY3" attribute=alarm flags=0xc2

    This might be some sort of NAT issue (might be no nat rules need to apply on the GTA).

    Any help on this is highly appreciated.

    Last edited by gtajami; 2015-09-28, 03:44.

  • #2
    Hello Jami,

    By default the GTA firewalls NAT all traffic through it. In your case, if you are attempting to NAT traffic from an external interface to a Protected or PSN interface, this will not be allowed and cause an "Invalid NAT request"

    During NAT cases you have the following:
    1) Traffic sourced from Protected interfaces can communicate to any other interfaces type, including other protected.
    2) Traffic sourced from PSN interfaces can communicate only with External interface type. "Invalid NAT request" to Protected and PSN interfaces.
    3) Traffic sourced from External interfaces cannot communicate with any other interface types. Any attempt will be blocked with "Invalid NAT request".

    The other alternative is to remove NAT with a Hosts/Networks policy between the subnet and External interface, enabling the inbound option. With NAT removed you can then allow the traffic with Passthrough security policies.

    I hope that helps.


    • gtajami
      gtajami commented
      Editing a comment
      Hi Rick,

      Thanks for your help - I am really glad that you replied on this.

      I have created "inbound" rules in "Network > Pass Through > Hosts/Networks" - its working fine!

      You have a good day.