Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 24571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One to one NAT - multiple servers

Jack Drose

Very basic setup questions - but I'm new to the XG series after years with the Cisco ASA. Have a block of 5 public IP's (248 subnet) assigned to the WAN interface on port 2. First IP is the firewall (.233) with all the LAN systems NATed behind it, I need to send the remaining 4 to 4 different internal (LAN) servers with specific ports on each. Example is 2nd public IP (.234) goes to the mail server at 10.1.1.4 with only SMTP, HTTP and HTTPS traffic allowed. On the ASA I would set up a static route (one to one NAT) between .234 and 10.1.1.4, set a rule allowing SMTP, HTTP and HTTPS and so on, but I'm not even sure where to begin on the XG 125 interface and the documentation is all over the board. Any help is greatly appreciated!



This thread was automatically locked due to age.
Parents
  • +1

    DNAT is what you want!

    First off, you need to create an ALIAS on your WAN interface for each of the public that is assigned to you so that you can use this on your firewall rule.

    Follow this KB article here on how to set ALIAS up: https://community.sophos.com/kb/en-us/126541

    Once that is done, you can then proceed to create a DNAT rule for each of your internal server that want to access from the internet.

    Follow this KB article here on how to set DNAT up: community.sophos.com/.../122976

  • 0 in reply to Jevin Lizardo

    Thanks Jevin - that looks like what I need. I'll set it up and let you know how it works.

     

    Jack

  • 0 in reply to Support Chn

    Yes - we have 4 servers all DNATed to their own public IP (.234, .235, .236, .237) but all of them show the primary firewall IP address (.233). The mail server is supposed to be at .234 but it resolves to .233 like the others.

  • 0 in reply to Jack Drose

    Make sure WAN to LAN policies are above LAN to WAN policies. Mail server local IP may be using the normal LAN to WAN policy to communicate which usually has MASQ enabled.

     

  • 0 in reply to Support Chn

    Thanks - are you referring to the firewall rules? If so how (or where) do I change the order?

  • 0 in reply to Jack Drose

    You should be able to just drag the WAN-LAN policy to the top or you can recreate WAN to LAN policy and select RULE POSITION as top inside the policy.

    How do confirm that your mail server resolves to .233 IP? Are you running a trace command inside mail server or just by seeing mail logs?

  • 0 in reply to Support Chn

    I use the site canyouseeme.org to verify the public IP the server resolves to and to test for the open ports. I checked the firewall rules and all of the individual server rules are above the default rules - however under the Features column none of them show NAT highlighted. Could that be part of the issue? I'm basically trying to set up a one to one NAT between the public IP's and private IP's of the individual servers and then create a rule to allow specific ports through. Thanks again for your help.

  • 0 in reply to Jack Drose

    Please ping 8.8.8.8 on your mail server and run a packet capture. Verify if packets are flowing through WAN to LAN policy

    How to run a packet capture.

    https://community.sophos.com/kb/en-us/123189

    We have hosted mail server behind sophos XG using below rules in same order as shown below

    Policy 1 - LAN to WAN mail policy with specific outbound address(.234 in your case)

    Policy 2 -WAN to LAN policy with DNAT to  .234 address,local ip and routing enabled with MASQ  Interface default IP.

     

  • 0 in reply to Support Chn

    Can you clarify how you set up the LAN to WAN mail policy?

     

    I can run a packet trace after hours (can't put the firewall online during business hours).

  • +1 in reply to Jack Drose

    Hey,

    If you want to use the same IP for outgoing traffic, tick the Create Reflexive Rule on your DNAT. This should be located bottom right under Routing section.

  • 0 in reply to Jevin Lizardo

    Hi Jevin,

     

    I tried the reflexive rule but still had the same issue. I ended up creating an SNAT rule for each of the servers (per https://community.sophos.com/kb/en-us/123294) giving me the DNAT rule for the inbound and the SNAT rule for the outbound. If I move all of those to the top of the Firewall Rule list all of the servers show correctly (right public IP address and correct ports open) but then all of the other systems have no internet access. I have an internet access rule for everyone else:

    Source Zone: LAN 

    Source Network and devices: Any

    Destination: WAN

    Destination Network: Any

    Rewrite Source Address (MASQ) is checked

    Match Known Users is not checked

     

    If I move this rule to the top everyone has internet access but the servers return to showing the same public IP (.233) - not the .234, .235, .236 they are NATed to. If I move the rule to the bottom the server NAT works correctly but all other systems have no internet access. I think I'm missing something in the rule or the order?

  • 0 in reply to Jack Drose

    You need to have a separate snat rule for mail server and keep it on the top.Default internet access should always be at the bottom.Keep it in following order

    1.Snat policy for mail server-source nw should be local server ip, outbound ip should be public ip of mail server

    2.Wan to lan policies

    3.Default Lan to wan policy for internet access

    Enable rewrite source address and select MASQ

Reply
  • 0 in reply to Jack Drose

    You need to have a separate snat rule for mail server and keep it on the top.Default internet access should always be at the bottom.Keep it in following order

    1.Snat policy for mail server-source nw should be local server ip, outbound ip should be public ip of mail server

    2.Wan to lan policies

    3.Default Lan to wan policy for internet access

    Enable rewrite source address and select MASQ

Children
Cookie Information Banner