Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 7533 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to create rule for 1-to-1 NAT but not opening access from Internet?

SteveChung

Hi, we are using Sophos XG UTM.

We have a server which need to access Internet with specific WAN IP address. It's different to UTM Outside Interface IP.

But it should not allow any access from Internet to this server.

 

It seems we must select Services in business rule for DNAT/Full NAT/Load balancing.

Should I use User/Network rule for LAN to WAN with "Override default NAT policy for specific gateway"?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    to me a simple network rule would do. Why do you need all services for the server, why not provide improved security with limited services?

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    It's because some applications need Internet random port access to get update.

     

    BTW, I configured rules for other application server which would accept access from Internet.

    Is there any better way to configure it?

     

    Rule 1 - Host1 Access Internet (User/Network rule)

    Source: LAN Host1

    Destination: WAN Any Any

    Rewrite source address: 203.13.222.11

     

    Rule 2 - Host1 Application (Business rule)

    Source: WAN Any

    Destination: 203.13.222.11 ICMP and TCP 2847

    Protected Server: LAN Host1

    Create Reflexive Rule: enabled

     

    Rule 3 - Host1 Remote access (Business rule)

    Source: WAN Office IP Exclude all countries except US

    Destination: 203.13.222.11 TCP 22

    Protected Server: LAN Host1

    Create Reflexive Rule: enabled

  • 0 in reply to SteveChung

    Hi Steve,

    you are confusing external access with the server initiating access. You do not need any incoming rules for the server to access the updates, but you will need to review what sites it attempts to visit to ensure that the firewall rules allow server access.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Thanks for your advise. However, the server couldn't access internet without this rule.

     

    Rule 1 - Host1 Access Internet (User/Network rule)

    Source: LAN Host1

    Destination: WAN Any Any

    Rewrite source address: 203.13.222.11

     

    I tried to enable "Rewrite source address" in other two business rule. It could access Internet. But it would change source IP of traffic from Internet to be 203.13.222.11.

     

    My requirement is quite simple.

    -NAT Host1 to 203.13.222.11

    -Accept traffic from Internet to Host1 port TCP 2847 with WAN IP 203.13.222.11

    -Accept any traffic from Host1 to Internet with WAN IP 203.13.222.11

  • 0 in reply to SteveChung

    Hi,

    you need two rules,

    1/. Network type rule -for outgoing source LAN - network (fileserver name) - Destination WAN - ANY - ANY (protocol which is a bit open for a server can be restricted to improve security)

    2/. Business type rule - for incoming. I assume you have a user or another system connecting on the incoming port?

    Ian

  • 0 in reply to rfcat_vk

    Thanks Ian, but I have different restriction on source IP for RDP and application port.

    So, I need two seperate business rule for RDP and application port, right?

Reply Children
No Data