Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 2538 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT - IP Range doesn't work.

Drobo

Hello,

 

I'm migrating from Juniper that has a NAT Pool set-up and I'm trying to create the same solution on the Sophos. I have raised a support ticket with Sophos, the response from support doesn't resolve the issue. They did a remote session and started to blame the switch that is in the middle of the two endpoints.

 

Issue:

I need to go from LAN zone to Datacentre zone and pool a range of IP's used in the NAT. I can't do a Source NAT (many to one) as the applications don't like this method.

Zone LAN: 10.10.0.0/24 | GW 10.10.10.254 VLAN Interface IP

Zone DataCentre: 192.168.10.0/24 | GW 192.168.10.254 VLAN Interface IP

NAT IP Range: 192.168.10.121 - 199  = 78 IP's

 

Sophos XG        ->  WAN LINK   ->    Datacentre Router

192.168.10.254                                 192.168.10.1

 

Support Response:

Support explained how to create a pool of IP address's for the firewall rule.

1. Go to firewall rule
2. Advanced> NAT & routing> enable Rewrite source address (masquerading)> Use outbound address> Create new
3. Enter name for Add NAT policy> IP address> Create New> IP range>  Save

When I put this IP Range in place, the IP's are changing to the NAT Range. Wireshark shows that no traffic flows.

No.     Time           Source                Destination           Protocol Length Info
 27   23.811303      192.168.10.121        192.168.10.1          ICMP     74     Echo (ping) request  id=0x0001, seq=6692/9242, ttl=127 (no response found!)
 28   23.811461      HonHaiPr_a2:93:57     Broadcast             ARP      42     Who has 192.168.10.121? Tell 192.168.10.1
 29   24.572072      HonHaiPr_a2:93:57     Broadcast             ARP      42     Who has 192.168.10.121? Tell 192.168.10.1

 

If I assign the IP address to the VLAN interface on the XG (the same as you do when creating a SNAT), Wireshark shows the return traffic and the Host can ping even though the NAT IP Range is still in place.

No.     Time           Source                  Destination                       Protocol Length Info

11   17.138975      192.168.10.121        192.168.10.1                   ICMP     74     Echo (ping) request  id=0x0001, seq=6664/2074, ttl=127 (reply in 14)
12   17.139153      HonHaiPr_a2:93:57     Broadcast                     ARP      42     Who has 192.168.10.121? Tell 192.168.10.1
13   17.139237      Tecnomen_65:b7:9e     HonHaiPr_a2:93:57    ARP      60     192.168.10.121 is at 00:e0:20:65:b7:9e
14   17.139249      192.168.10.1          192.168.10.121                ICMP     74     Echo (ping) reply    id=0x0001, seq=6664/2074, ttl=128 (request in 11)
15   18.139835      192.168.10.121        192.168.10.1                  ICMP     74     Echo (ping) request  id=0x0001, seq=6665/2330, ttl=127 (reply in 16)
16   18.139979      192.168.10.1          192.168.10.121                ICMP     74     Echo (ping) reply    id=0x0001, seq=6665/2330, ttl=128 (request in 15)

Do I need to add 78 IP alias's to my interface to make this work, How many alias's can the interface take?



This thread was automatically locked due to age.
Parents
  • 0

    Why do you think you need a NAT between two internal address spaces?

    Is your WAN link a private network?

    Ian

  • 0 in reply to rfcat_vk

    Hello Ian,

    Thank you for replying.

     

    Yes this is a private WAN Link to the DataCentre for our customer. I believe they will only allow the IP range 192.168.10.121 - 199 through their router [192.168.10.1].

    On the other side of their router they have 15+ different subnets, so I have static routes on the XG:

    10.60.50.0 / 255.255.255.0     192.168.10.1        LAG_0.50

    10.60.73.0 / 255.255.255.0     192.168.10.1        LAG_0.50

    10.60.77.0 / 255.255.255.0     192.168.10.1        LAG_0.50

     

    It has been this way for 15 years, I don't know why they won't allow the full /24.

  • 0 in reply to Drobo

    Update:

    I spoke with my Juniper Engineer for the old Firewalls and he said "proxy-arp".

    As soon as I googles Sophos XG proxy-arp the following KB came up:

    https://community.sophos.com/kb/en-us/123525

     

     

    The interfaces must now be configured to accept and respond to Proxy ARP.

     

    1) Log in to the CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.

    2)Select option 4. Device Console.Execute the following commands:

    3)set proxy-arp add interface LAG0_0.30 dst_ip 192.168.10.121

    I just tested this and it worked.

Reply
  • 0 in reply to Drobo

    Update:

    I spoke with my Juniper Engineer for the old Firewalls and he said "proxy-arp".

    As soon as I googles Sophos XG proxy-arp the following KB came up:

    https://community.sophos.com/kb/en-us/123525

     

     

    The interfaces must now be configured to accept and respond to Proxy ARP.

     

    1) Log in to the CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.

    2)Select option 4. Device Console.Execute the following commands:

    3)set proxy-arp add interface LAG0_0.30 dst_ip 192.168.10.121

    I just tested this and it worked.

Children
No Data