Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 8473 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASA/Sonicwall to Sophos = Lost - NAT, Dnat, S-nat

ADH

I'm trying to figure out the language and differences.  I am coming across a variety of KB's that seem to confuse me more.

Generally my networks are similar to set up.  I have a range of 6 public IP's i usually use a 1:1 NAT on an ASA.  The default Public IP is usually just for inside clients to use for the internet or PAT. Sometimes i do need it to port forward for security camera systems etc, i think for these i can just use the business rule DNAT template and respective port forwarding.

Generally, i usually map 1 public IP to an inside host, for example Exchange.  How is this done? Specifically, i want the mapping to always be one to one, so MX records/SPF isn't an issue.  On one hand i see a KB to use the business rule to do the DNAT template and specify the public IP I want and inside server and service.  I suspect here i do not enable Rewrite address?  But this still seems to imply the server will use the outside DEFAULT IP for when it tries to go outside the network, ie send an email?  I found this KB about an SNAT to use specifically in this case, but it doesn't say i need to do the DNAT i just set up, or do I?  Is the following KB need a second step in the process as it just defines the outbound mapping for sending an email for example, as i don't see any service ports to allow for say inbound traffic?

https://community.sophos.com/kb/en-us/123294

Hopefully this makes sense...



This thread was automatically locked due to age.
  • 0

    I just want to clarify, are you asking how to configure a one-to-one NAT rule for a specific server?

  • 0 in reply to Joe Plunkett

    Yes that's what i am after.  The article i posted above seems to imply it, but it may only be part of the steps required?   

  • 0

    ADH said:

    On one hand i see a KB to use the business rule to do the DNAT template and specify the public IP I want and inside server and service.  I suspect here i do not enable Rewrite address?  But this still seems to imply the server will use the outside DEFAULT IP for when it tries to go outside the network, ie send an email?  

    Correct me if I am wrong, but I believe your goal is that once you do a 1:1 mapping for a server, it should use that same Public IP while going out ?

    In that case, please try enabling 'Reflexive Rule' in the respective Business Application Rule.

    If that does not work, disable that option and create a Network Rule below for that specific server and in Routing and NAT create a Custom NAT Profile in Profile -> Network Address Translation for the respective Public IP and use that to NAT the Inside -> Outside traffic for your server.

     

    Tip: If your local network machines are unable to access the server by Public IP, also add LAN Zone in the 'Source Zone' along with WAN Zone in your Business Application Rule.

  • 0 in reply to Anish Deval

    Hi.  Thanks for the reply.  So i would need the two rules then in order to get it going if the reflexive option doesn't work? 

  • 0 in reply to ADH

    If you are trying to NAT traffic from the WAN into a protected server that is not the correct guide. 

    If you just want to NAT your internal server out to the WAN than that is what you are looking for. 

     

    I think what you want is the first one - DNAT- am I correct? If that is the case I can write up the steps for you and I think I have the relevant link somewhere for the KB. But basically you need the Business Application rule set in DNAT. Then if you want the traffic from the server to NAT differently then the rest of the traffic on your LAN you will can create a network rule for that. 

  • 0 in reply to Joe Plunkett

    Maybe an example would be easier.

    Lets say i have a firewall as follows:

    1.1.1.2 is the default IP and inside clients use this as their internet access, as defined by the default rule on set up for a new Sophos FW.

    1.1.1.3 should always forward to 192.168.1.3 for email.  It should always use this same outside IP for internet access as well, not 1.1.1.2

    1.1.1.4 should always forward to 192.168.1.4 for WWW.  It should always use this same outside IP for internet access, not 1.1.1.2

    1.1.1.5 should always forward to 192.168.1.5 for RDP.  It should always use this same outside IP for internet access, not 1.1.1.2

    SO, do i need to set up a Business App rule to do the initial outside access in, and then do a SNAT like in the example above to make them always map inside access to outside?  Or is this reflexive option mentioned above good enough?

     

     

  • 0 in reply to ADH

    I'm a little confused by your 1.1.1.x examples but I think you are using those to represent Public IP addresses. 

    First you have to assign all relevant public IP addresses to an interface. This can be done with physical interfaces or Aliases. 

    Then setup you DNAT Business application rules to handle any Inbound traffic NATs. The KB is here:  https://community.sophos.com/kb/en-us/122976

    There are reflexive options and you can test them to see if they work but in my experience they haven't been reliable. 

     

    Now if you look at the #Default_Network_Policy firewall rule which is created by default on every XG you can see at the bottom of the rule how to masq traffic out. You can use a similar setup as the default rule to NAT outbound traffic.