NAT - Static route

Hi Mike,

Static routes are enabled by default when you create one under Configure > Routing > Static Routing.

There's no global way of disabling NAT services. You would just turn off any Business Application NAT rules that you have created under Protect > Firewall. 

For SNAT's you've created, it would be under your Firewall Rule > NAT & Routing

Cheers,
Karlos

Karlos,

I have no business application firewalls enabled. There is one Lan to Wan Firewall rule NAY Masquerade enabled, the moment I witch to none, it doesn't work despite me having put a static route 0.0.0.0 to default Gateway on Lan port 2

Double NATing is not recommended. Especially if you have internal servers you need access to from the outside.

On the XG side, the only configuration you need to setup is Masquerading your LAN to your WAN interface. It is your ISP router's responsibility to NAT traffic out to the Internet from there. 

Best,
Karlos

Karlos,

Thanks for your help, looking at the live connections I can see that between the ISP Router and the Sophos I am double Nat. I would like to establish the steps I need to stop nat on the sophos and only get this happening on the ISP router. I had assumed this was None under Firewall rule and a static route 0.0.0.0 to the ISP default gateway 192.168.0.254, tried this and did not work. 

Karlos,

Any thoughts.

Mike,

did you try to create a LAN to WAN firewall rule and unchecking the rewrite source address under Advanced section?

Luk

Yes I tried that with primary gateway as DG

Mike,

check traffic using tcpdump to understand what XG is doing on output packets. Maybe it translates the packets even if the NAT is disabled on that rule.

One question: XG and Router are on the same network mask? Please upload a network diagram. It will help.

Thanks

lferrara said:

Mike,

check traffic using tcpdump to understand what XG is doing on output packets. Maybe it translates the packets even if the NAT is disabled on that rule.

One question: XG and Router are on the same network mask? Please upload a network diagram. It will help.

Thanks

 

Iferra,

I will check the TCPDUMP over the next few days. See attached network diagram

Genexis Fibre 192.168.0.x - Sophos 192.168.1.x - Unifi USG (currently but can take this out as per diagram) 192.168.2.x/3.x/4/x etc on VLAns

Thanks Mike for the network diagram.

If the "no nat" in the firewall does not work, I guess you cannot achieve it using XG. The only way I guess is to enable NAT on the Rules and let the XG traslates the internal IP to its WAN ip.

It is strange that it does not allow to do it.

What is wrong with double natting? I have the same at home where I have another NAT device.

Sophos should explain why the NO NAT on firewall rules does not work if the destination zone is WAN. I have other VLAN rules where NAT is not needed and it works.

Let's see if someone from Sophos can clarify it.

Hi Mike &  

To clarify, double NATing is absolutely possible. We only recommend against it as it can pose problems when DNATing into internal servers and with VPN connections. 

With that said, you'd prefer not to double NAT and just pass traffic from your LAN to WAN? You can do this transparently by converting your XG to Bridged Mode. For more information about that see our KB article: Sophos XG Firewall: How to deploy in bridge mode

It seems you are trying to achieve this but keep your XG in Gateway mode. I have not personally tested that setup of disabling MASQ on your LAN->WAN rule and just setting up the Primary Gateway as your WAN interface. A static default route should not be necessary when your Primary Gateway is specified. Perhaps disable that also, along with disabling MASQ and see if there is a difference. With those disabled, if it's still not working, run a packet capture as you send outbound Internet traffic from a LAN endpoint and post so I can understand better.

Thanks!

Best,

Karlos

Have you test with this?

Have you test with this?