Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 24571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One to one NAT - multiple servers

Jack Drose

Very basic setup questions - but I'm new to the XG series after years with the Cisco ASA. Have a block of 5 public IP's (248 subnet) assigned to the WAN interface on port 2. First IP is the firewall (.233) with all the LAN systems NATed behind it, I need to send the remaining 4 to 4 different internal (LAN) servers with specific ports on each. Example is 2nd public IP (.234) goes to the mail server at 10.1.1.4 with only SMTP, HTTP and HTTPS traffic allowed. On the ASA I would set up a static route (one to one NAT) between .234 and 10.1.1.4, set a rule allowing SMTP, HTTP and HTTPS and so on, but I'm not even sure where to begin on the XG 125 interface and the documentation is all over the board. Any help is greatly appreciated!



This thread was automatically locked due to age.
  • 0 in reply to Support Chn

    Can you clarify how you set up the LAN to WAN mail policy?

     

    I can run a packet trace after hours (can't put the firewall online during business hours).

  • +1 in reply to Jack Drose

    Hey,

    If you want to use the same IP for outgoing traffic, tick the Create Reflexive Rule on your DNAT. This should be located bottom right under Routing section.

  • 0 in reply to Jevin Lizardo

    This is exactly what we needed Javin!

     

    helped and will help alot

  • 0 in reply to Jevin Lizardo

    Hi Jevin,

     

    I tried the reflexive rule but still had the same issue. I ended up creating an SNAT rule for each of the servers (per https://community.sophos.com/kb/en-us/123294) giving me the DNAT rule for the inbound and the SNAT rule for the outbound. If I move all of those to the top of the Firewall Rule list all of the servers show correctly (right public IP address and correct ports open) but then all of the other systems have no internet access. I have an internet access rule for everyone else:

    Source Zone: LAN 

    Source Network and devices: Any

    Destination: WAN

    Destination Network: Any

    Rewrite Source Address (MASQ) is checked

    Match Known Users is not checked

     

    If I move this rule to the top everyone has internet access but the servers return to showing the same public IP (.233) - not the .234, .235, .236 they are NATed to. If I move the rule to the bottom the server NAT works correctly but all other systems have no internet access. I think I'm missing something in the rule or the order?

  • 0 in reply to Jack Drose

    You need to have a separate snat rule for mail server and keep it on the top.Default internet access should always be at the bottom.Keep it in following order

    1.Snat policy for mail server-source nw should be local server ip, outbound ip should be public ip of mail server

    2.Wan to lan policies

    3.Default Lan to wan policy for internet access

    Enable rewrite source address and select MASQ

  • 0 in reply to Support Chn

    Thanks - all of my SNAT / DNAT rules are at the top and work correctly. So for all other systems (those without DNAT /SNAT) to have internet access do I need 2 rules? I have the Lan any host / service to Wan any host / service, so do I need a separate Wan any host / http - https - dns to Lan any host rule as well?

  • 0 in reply to Jack Drose

    Please remove Wan to any host rule.It is not needed and similar to other firewalls.Make sure to enable MASQ

  • 0 in reply to Support Chn

    Sorry if I'm being confusing. I don't currently have a WAN to any host rule - I was asking if I need the Wan to Lan policy and if so what needs to be in that policy? Thanks.

  • 0 in reply to Jack Drose

    No need of any separate WAN to LAN rules. Rules should be in following order.

    1) LAN to WAN policy with Source ip  being your server ip,Destination  will be Any. Enable rewrite source address option  and select outbound ip as your mail server public ip

    2) DNAT policy for each servers.

    3) Default LAN to WAN policy for internet access.

  • 0 in reply to Support Chn

    This is how I have the rules set:

    Server1  NAT

    Server1 DNAT

    Server2  NAT

    Server2 DNAT

    Server3  NAT

    Server3 DNAT

    Server4  NAT

    Server4 DNAT

    Internet Access (LAN, Any Host - WAN, Any Host - Any service)

    Auto Added Firewall Rule (LAN, Any Host - WAN, Any Host - SMTP, SMTPS)

    #Default Network Policy (LAN, Any Host - WAN, Any Host - Any Service)

     

     

    In this configuration the Server NAT all works fine but no other systems have internet access. If I move the Internet Access Rule to the top all systems have internet access but the server NAT is broken (they no longer use their NATed IP).

     

     

     

     

Cookie Information Banner