Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 8473 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASA/Sonicwall to Sophos = Lost - NAT, Dnat, S-nat

ADH

I'm trying to figure out the language and differences.  I am coming across a variety of KB's that seem to confuse me more.

Generally my networks are similar to set up.  I have a range of 6 public IP's i usually use a 1:1 NAT on an ASA.  The default Public IP is usually just for inside clients to use for the internet or PAT. Sometimes i do need it to port forward for security camera systems etc, i think for these i can just use the business rule DNAT template and respective port forwarding.

Generally, i usually map 1 public IP to an inside host, for example Exchange.  How is this done? Specifically, i want the mapping to always be one to one, so MX records/SPF isn't an issue.  On one hand i see a KB to use the business rule to do the DNAT template and specify the public IP I want and inside server and service.  I suspect here i do not enable Rewrite address?  But this still seems to imply the server will use the outside DEFAULT IP for when it tries to go outside the network, ie send an email?  I found this KB about an SNAT to use specifically in this case, but it doesn't say i need to do the DNAT i just set up, or do I?  Is the following KB need a second step in the process as it just defines the outbound mapping for sending an email for example, as i don't see any service ports to allow for say inbound traffic?

https://community.sophos.com/kb/en-us/123294

Hopefully this makes sense...



This thread was automatically locked due to age.
Parents
  • 0

    I just want to clarify, are you asking how to configure a one-to-one NAT rule for a specific server?

  • 0 in reply to Joe Plunkett

    Yes that's what i am after.  The article i posted above seems to imply it, but it may only be part of the steps required?   

  • 0 in reply to ADH

    If you are trying to NAT traffic from the WAN into a protected server that is not the correct guide. 

    If you just want to NAT your internal server out to the WAN than that is what you are looking for. 

     

    I think what you want is the first one - DNAT- am I correct? If that is the case I can write up the steps for you and I think I have the relevant link somewhere for the KB. But basically you need the Business Application rule set in DNAT. Then if you want the traffic from the server to NAT differently then the rest of the traffic on your LAN you will can create a network rule for that. 

  • 0 in reply to Joe Plunkett

    Maybe an example would be easier.

    Lets say i have a firewall as follows:

    1.1.1.2 is the default IP and inside clients use this as their internet access, as defined by the default rule on set up for a new Sophos FW.

    1.1.1.3 should always forward to 192.168.1.3 for email.  It should always use this same outside IP for internet access as well, not 1.1.1.2

    1.1.1.4 should always forward to 192.168.1.4 for WWW.  It should always use this same outside IP for internet access, not 1.1.1.2

    1.1.1.5 should always forward to 192.168.1.5 for RDP.  It should always use this same outside IP for internet access, not 1.1.1.2

    SO, do i need to set up a Business App rule to do the initial outside access in, and then do a SNAT like in the example above to make them always map inside access to outside?  Or is this reflexive option mentioned above good enough?

     

     

  • 0 in reply to ADH

    I'm a little confused by your 1.1.1.x examples but I think you are using those to represent Public IP addresses. 

    First you have to assign all relevant public IP addresses to an interface. This can be done with physical interfaces or Aliases. 

    Then setup you DNAT Business application rules to handle any Inbound traffic NATs. The KB is here:  https://community.sophos.com/kb/en-us/122976

    There are reflexive options and you can test them to see if they work but in my experience they haven't been reliable. 

     

    Now if you look at the #Default_Network_Policy firewall rule which is created by default on every XG you can see at the bottom of the rule how to masq traffic out. You can use a similar setup as the default rule to NAT outbound traffic. 

Reply
  • 0 in reply to ADH

    I'm a little confused by your 1.1.1.x examples but I think you are using those to represent Public IP addresses. 

    First you have to assign all relevant public IP addresses to an interface. This can be done with physical interfaces or Aliases. 

    Then setup you DNAT Business application rules to handle any Inbound traffic NATs. The KB is here:  https://community.sophos.com/kb/en-us/122976

    There are reflexive options and you can test them to see if they work but in my experience they haven't been reliable. 

     

    Now if you look at the #Default_Network_Policy firewall rule which is created by default on every XG you can see at the bottom of the rule how to masq traffic out. You can use a similar setup as the default rule to NAT outbound traffic. 

Children
No Data