When applying a NAT rule, it stops our internet traffic and doesn't work

Unanswered Question

Hi all, In our HQ we have a WAN 2800 router, its LAN Eth0 address is which is the gateway to all remote offices. Also HQ we have a firewall connected to the internet, its LAN Eth0 address is All users on the HQ LAN have their Gateway pointing to he WAN 2800 I need to allow all users on the LAN and WAN to use an internet service on TCP port 5631. I need to forward a TCP port 5631 from the WAN 2800 Router to re-direct to the firewall When I applied a NAT rule on the 2800 it completed stops internet traffic, all help will be appreciated.

Kind Regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paolo bevilacqua Wed, 06/20/2007 - 13:24
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member


due to your topology, the 2800 cannot have any role in this design.

Now, if the connection is initiated from the inside to outside, toward port 5631, all the PCs should be able to use it and your firewall will do PAT as necessary. If it does not, please check its configuration.

If the connection is initiated from outside to inside, configure a port forward on the firewall. You will be able to specify one single "inside" address for each TCP port forwarded.

Hope this helps, please rate post if it does!

Hi thanks for the reply.

our requirments is as stated in your first statement. It is from inside to outside, the PCs point to the WAN 28xx router, then we need to re-direct their request to the firewall. The firewall PAT is working fine as if we change the PCs gateway to the firewall it works fine. Can you please provide an example config line required on the 28xx router. Thanks in advance.


paolo bevilacqua Wed, 06/20/2007 - 13:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member


the 2811 should not change anything in the packet from inside to outside and viceversa. It is strange that if you set the default GW as the FW address it works, but if set to router router, it does not.

The router should just have route . Optionally you can set "no icmp redirect" so the router would never tell to PCs to use FW as gateway.

The only thing is that perhaps for some security reason the FW wants to see the packets sourced from PC on the local LAN, come in with the same source MAC address it has in ARP table, thing that would not happen in case you place the router on the same subnet and is used as GW by the PCs.


This Discussion