Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 85402 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAN to LAN Inbound NAT - How To?

Enigy

I just recently installed the Sophos XG platform, coming from a UTM 9 firewall.  Question is, how do I create an inbound NAT to forward HTTPS (tcp 443) to an internal web server?  I've played around with the policy settings and cannot seem to figure out the proper way to set this up.   Any help?



This thread was automatically locked due to age.
  • 0

    Hi Enigy,

    DNAT/Full-Nat/1-1 NAT rules, along with server load balancing, and Webserver Protection, are now unified in the new Business Application rules in the policy table.

    When you create a new rule, you can choose either

    • HTTP Based - which will create a WAF rule
    • Non-HTTP Based - which will create a NAT rule

    Or you can choose from one of the available named templates, which are primarily WAF based, and help accelerate setup of protection for various web applications. You're not the first to notice that the naming makes it a little hard to find, if you're looking explicitly for something called NAT. We'll make this a little clearer in the next version. 

    To create a simple DNAT rule, just create a new Business rule, selecting the Non-HTTP based template. 

  • 0

    Thanks, that's what I was looking for!

  • 0
    I'm having trouble with this same thing.. I can't seem to figure out what goes where.. I had a full nat on utm9 for my camera. I want to go from internal lan --> wan address then back to the internal address
  • 0
    Ditto. Need to setup up forwarding for my Slingbox on port 5001. Been screwing with this for 3 hours and I can't make it work. I need someone to tell me what info goes where in the setup, and why, or I'll never understand this to do the other things I need to setup (and my wife will kill me).

    IP of the Slingbox is 172.16.1.15, port 5001.
    WAN is DHCP

    Needs to be available from the Internet or it'll never work.
  • 0 in reply to WilliamDoerfler
    I just finished doing something completely counter-intuitive, and it seems to work now. Starting from the top, I create a Business Non-Http Rule:

    Rule name: Slingbox
    Source host: the slingbox by IPv4 address, host group Inside Lan (I created that), IPv4, and the slingbox again in that group.
    Hosted Address: Port2 which is my RED WAN Port and IP Address

    Protected Zone: WAN
    Protected App Server: Slingbox again
    Forward All Ports: Off

    Port Forward Protocol: TCP
    External Port Type: Port Range
    External Port Range: 1-65534
    Mapped Port Type: Port
    Mapped Port: 5003 (in my case, may differ for others, usually 5001)

    Routing; Rewrite Source Address: ON
    Use Outbound Address: NAT policy for the Slingbox host (I named it SlingNAT, but whatever)

    Rule Based User Identity thing: Off

    Intrusion Prevention: WAN to LAN
    Traffic Shaping: None (will likely change in the future to handle overuse)

    Log Firewall Traffic: Yes (in an attempt to try and see what is wrong if it doesn't work, which I never can)

    Create Reflexive Rule: Yes (sets up a reverse rule so traffic can get out/back out)

    Heartbeat stuff: Off



    No clue how or why this works. Like I said it seems entirely counter intuitive. I've got other NAT type stuff to setup for a couple other things and if I end up having any trouble with those, I'm just switching back to the UTM as I had zero issues with that. AND with UTM I could at least seem that protection was running and doing stuff. This XG thing is just a complete pain in the rear to navigate, and I still can't tell if it is actually doing anything more than just giving me a migraine.
  • 0
    Here is an example for DNAT TCP 2222 to 22 from specific sources:

    <img src=networkguy.de/.../dnat-xg.png>
  • 0

    Here is an example for DNAT TCP 2222 to 22 from specific sources:

  • 0
    Here is an example for DNAT TCP 2222 to 22 from specific sources:

    <img src=networkguy.de/.../dnat-xg.png>
  • 0
    Here's an example for DNAT TCP 2222 to internally 22 from specific hosts
  • +1

    Seems to have changed again in v16.x.

    It's an Application Template named "DNAT/Full NAT/Load Balancing" now