Match default rule, DNAT Packet, DROP

Hoygen83Hoygen83 Member Posts: 12  Freshman Member
edited March 8, 2020 6:40PM in ZyWALL ATP Series

I just deployed an ATP200 and upgraded his firmware to the V4.35(ABFW.3)

Then I made a nat rule:

from public_ip port xxxx translate to internal_ip port yyyy

I made the relevant security policy:

from wan1 to internal_ip port xxxx allow

I keep getting "Match default rule, DNAT Packet, DROP"

How can I troubleshoot using the web console or the tools inside the firewall and see why DNAT is failing?

Also I would troubleshoot if It is missing a route, or pat (port address translation) is failing or nat (network address) is failing.

Accepted Solution

All Replies

  • Hoygen83Hoygen83 Member Posts: 12  Freshman Member

    Trying to troubleshoot the message: "Match default rule, DNAT Packet, DROP"

    i edited the security policy that now is.

    from wan to internal_ip allow all

    and the log message changed, now it is:

    priority:1, from WAN to ANY, TCP, service others, DNAT Packet, ACCEPT

    but if i telnet to public_ip xxxx i still get impossible to get connection.

  • Zyxel_JerryZyxel_Jerry Moderator, Zyxel Offical Agent Posts: 348  mod

    Hi @Hoygen83

    You can check if the telnet service is enabled on the device.

    Go to Configuration > System > TELNET > enable the telnet, and try to telnet again

  • Hoygen83Hoygen83 Member Posts: 12  Freshman Member

    thanks the service is up.

    But still i have the issue.

  • @Hoygen83
    I was having the same issue on a USG60 with a simple SSH configuration. I kept getting the same DNAT error. In my case I changed the IPv4 Source from a Geo_filter to "any" and the ssh traffic could then flow. @Zyxel_Jerry is this expected behavior? Why does a geographic filter cause the DNAT to fail?

    if activated here:

    results in:

    Whereas if policy is as such:

    results in:

  • Zyxel_CharlieZyxel_Charlie Moderator, Zyxel Offical Agent Posts: 996  mod
    Have you checked your public IP address on GeoIP page of device?

    For your description, it seems the Public IP does not belong in US country, so the session will be drop.
  • PeterUKPeterUK Member Posts: 735  Guru Member
    Is Content Filter license enabled? 
Sign In to comment.