Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 2226 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source NAT with Persistent IP Address

Drobo

Hello,


I'm migrating from Juniper SRX to Sophos XG firewalls.

We have a specific NAT requirement that took some time to resolve in the Junipers, that is keeping the IP address persistent from the Source to the Destination

 

Current Setup.

Internal LAN    >        WAN              >   Datacentre LAN

10.10.1.0/24   >   192.168.1.0/24   >   10.60.10.0/24

 

The Sophos end for the WAN link is 192.168.1.254

The Datacentre end for the WAN link is 192.168.1.1

Route: 10.61.10.0/24 Next Hop 192.168.1.1

We also can't use the full /24 for the NAT, we have to create a NAT Pool 192.168.1.122 - 199 (78 Hosts).

 

I currently have a User/Network rule setup and this is working for the NAT Pool, the IP's are changing to IP's between .122 and .199

Source: 10.10.1.0/24

Destination: 10.60.10.0/24

Application: ANY

I have setup a Masquerade IP Range for the NAT Pool (192.168.1.122 - 199).

How can I make the IP's persistent from the same host?

I hound an article https://community.sophos.com/kb/en-us/132277 that offers "sticky P" but that is only for load balancing. Can then be done some other way?

 

Thank You



This thread was automatically locked due to age.
  • 0

    Hi,

    I am having trouble understanding what you are trying to achieve.

    All devices are in private networks so you don't need NAT.

    Are you using a business rule network rule to set this up? The destination device can either have a FQDN or a defined IP address in the destination.

    Ian

  • 0 in reply to rfcat_vk

    Hello Ian,

    I'm trying to connect to a Datacentre. This datacentre will only allow the IP's 192.168.1.227 to .199 into their LAN. They don't care how many Subnets we are coming from, eg office LAN, VPN LAN etc.

    So I need to NAT from our source LAN to the 192.168.1.0 subnet with a specific IP range. I also need to make sure that the IP address that the client is assigned remains persistent when it's NAT'd. We have a web based Java program that would login on one IP, but because it used iframes it then sends another request and another IP address gets Nat'd to the datacentre. But the second IP is rejected because it wasn't the original IP that was authenticated.

     

    This was an issue with the Junipers SRX firewalls. We were able to stop this happening by making the NAT'd IP persistent. This doesn't seem to be an option on the Sophos.

    In my initial testing, even with a NAT'd IP range it looks like the IP address is remaining persistent, but testing is different to the real world implementation and I'd about to go-live with the new Sophos hardware.