Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 4179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrating Watchguard Internal NAT to Sophos XG330

MSD Admin

Hello All,

 

I am in the process of migrating to a new Sophos XG330 . I am attempting to duplicate policies from the Watchguard to the new Sophos device.

 

To summarize a Watchguard policy that is giving me trouble:

 

From: Any

To: *public ip* which then NATs an internal IP address of 10.0.0.23 and Port 8080

To Port: 5000

 

So it seems the Watchguard is taking traffic directed toward the public ip address, then converting it to 10.0.0.23 with the internal port of 8080, which is then translated to port 5000.

 

The problem is, I am not seeing an internal NAT option within the Business Rule I am creating in the Firewall tab.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    im struggling with this part:

    So it seems the Watchguard is taking traffic directed toward the public ip address, then converting it to 10.0.0.23 with the internal port of 8080, which is then translated to port 5000.

     

    What XG can do:

     

    Client:Internet tries to access a server behind XG.

     

    Packet looks like:

    SRC: 1.2.3.4 Port 12345

    DST: XG:WAN:IP Port 5000

     

    DNAT Packet on LAN XG Interface / or what the Server will see:

    SRC: 1.2.3.4 Port 12345

    DST: SERVER:IP Port 8080

     

    Also possible: (Called FullNAT / Destination + Source NAT).

    DNAT Packet on LAN XG Interface / or what the Server will see:

    SRC: XG:LAN:IP Port 12345

    DST: SERVER:IP Port 8080

     

     

    Your query sounds like, you want to change the Port 12345 on XG LAN? Would destroy the possibility to different the connection later in conntrack.

     

    Cheers

  • 0 in reply to LuCar Toni

    Thank you for the reply and sorry for the confusion. Your post helped me see what I believe is actually occurring within the Watchguard firewall.

     

    Source: Any

    To: *Public IP* on port TCP 18495 

    Translated to: 10.0.0.255:1433

     

    So it appears the outside traffic directed at the *public ip* with port 18495 is translated to a local IP of 10.0.0.255 on port 1433. I believe you may have helped me solve the issue.

Reply
  • 0 in reply to LuCar Toni

    Thank you for the reply and sorry for the confusion. Your post helped me see what I believe is actually occurring within the Watchguard firewall.

     

    Source: Any

    To: *Public IP* on port TCP 18495 

    Translated to: 10.0.0.255:1433

     

    So it appears the outside traffic directed at the *public ip* with port 18495 is translated to a local IP of 10.0.0.255 on port 1433. I believe you may have helped me solve the issue.

Children
No Data