Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 24571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One to one NAT - multiple servers

Jack Drose

Very basic setup questions - but I'm new to the XG series after years with the Cisco ASA. Have a block of 5 public IP's (248 subnet) assigned to the WAN interface on port 2. First IP is the firewall (.233) with all the LAN systems NATed behind it, I need to send the remaining 4 to 4 different internal (LAN) servers with specific ports on each. Example is 2nd public IP (.234) goes to the mail server at 10.1.1.4 with only SMTP, HTTP and HTTPS traffic allowed. On the ASA I would set up a static route (one to one NAT) between .234 and 10.1.1.4, set a rule allowing SMTP, HTTP and HTTPS and so on, but I'm not even sure where to begin on the XG 125 interface and the documentation is all over the board. Any help is greatly appreciated!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Jevin Lizardo

    Thanks Jevin - that looks like what I need. I'll set it up and let you know how it works.

     

    Jack

  • 0 in reply to Jack Drose

    So we set the DNAT up - added the additional IP addresses to port 2 as alias IP's and set up the DNAT rules as shown in the KB article. When the firewall is placed on the network all the servers behind it show the main IP of the firewall (not the alias they are pointed to) and don't allow any of the traffic assigned to the rule through. Example rule:

    Source Zone: WAN

    Allowed Client Networks: Any

    Destination Host / Network : Port2.0 xxx.xxx.xxx.234

    Services: HTTP, HTTPS. SMTP

    Protected Server: Mail Server (10.1.1.4)

    Protected Zone: LAN

    Routing: nothing checked

     

    When connected the server shows a public IP of .233 and none of the ports are allowed through. Seems as though I'm missing a NAT rule somewhere?

     

  • 0 in reply to Jack Drose

    Jack Drose said:
    When connected the server shows a public IP of .233 and none of the ports are allowed through. Seems as though I'm missing a NAT rule somewhere?

    Are you referring to your mail server?  Your local mail server's outgoing connections are going through firewall IP?

  • 0 in reply to Support Chn

    Yes - we have 4 servers all DNATed to their own public IP (.234, .235, .236, .237) but all of them show the primary firewall IP address (.233). The mail server is supposed to be at .234 but it resolves to .233 like the others.

  • 0 in reply to Jack Drose

    Make sure WAN to LAN policies are above LAN to WAN policies. Mail server local IP may be using the normal LAN to WAN policy to communicate which usually has MASQ enabled.

     

  • 0 in reply to Support Chn

    Thanks - are you referring to the firewall rules? If so how (or where) do I change the order?

  • 0 in reply to Jack Drose

    You should be able to just drag the WAN-LAN policy to the top or you can recreate WAN to LAN policy and select RULE POSITION as top inside the policy.

    How do confirm that your mail server resolves to .233 IP? Are you running a trace command inside mail server or just by seeing mail logs?

  • 0 in reply to Support Chn

    I use the site canyouseeme.org to verify the public IP the server resolves to and to test for the open ports. I checked the firewall rules and all of the individual server rules are above the default rules - however under the Features column none of them show NAT highlighted. Could that be part of the issue? I'm basically trying to set up a one to one NAT between the public IP's and private IP's of the individual servers and then create a rule to allow specific ports through. Thanks again for your help.

  • 0 in reply to Jack Drose

    Please ping 8.8.8.8 on your mail server and run a packet capture. Verify if packets are flowing through WAN to LAN policy

    How to run a packet capture.

    https://community.sophos.com/kb/en-us/123189

    We have hosted mail server behind sophos XG using below rules in same order as shown below

    Policy 1 - LAN to WAN mail policy with specific outbound address(.234 in your case)

    Policy 2 -WAN to LAN policy with DNAT to  .234 address,local ip and routing enabled with MASQ  Interface default IP.

     

  • 0 in reply to Support Chn

    Can you clarify how you set up the LAN to WAN mail policy?

     

    I can run a packet trace after hours (can't put the firewall online during business hours).

Cookie Information Banner