DNS NAT

Hi Roman,

let us examine what your are trying to do. NAT all DNS traffic, very good, but your firewall/NAT rule does not allow ping to your test will fail.

If you want to test your DNS rule using ping you will  need to add ping to it.

Ian

Hi Roman,

let us examine what your are trying to do. NAT all DNS traffic, very good, but your firewall/NAT rule does not allow ping to your test will fail.

If you want to test your DNS rule using ping you will  need to add ping to it.

Ian

Sure, Ive been testing it adding ping to NAT policy - no positive result. "Request time out" ;)
So i should get responds while im pinging 8.8.8.8 Am I right ? Cuz with NAT implemented in XG i got a little bit confused ^^

Hi Roman,

you will also need the ping in the firewall rule.

A copy of my NAT rule, there is also a KBA on this subject.

Ian

So you are using this policy to NATing DNS traffic ? As I want ? -> if so its VERY weird from logical perspective as Sophos named it ^^

There is something wrong with my firewall rule. I changed it a week ago and since then it not working.

Now that you raise that question, the logviewer shows the traffic as still going to 8.8.8.8 even after going through the NAT rule.

I need to find the original document that I built the rule using that configuration.

Ian

Ok, well ill also try figure out how to solve it. But look a thos Video.

There is a short time where he shows how to do it.

FROM 5:30

Thank you for finding that video, that was part of what I was referring to and there should be a document showing step by step as shown in the video.

I think I saw it in the EAP which is no  longer accessible. I am seeing the redirects, just not the translation.

Hopefully one of the Sophos support staff will assist.

Ian

Hi Regex 

This will provide you more info - https://community.sophos.com/products/xg-firewall/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18 and let me tag LuCar Toni to share his expertise on this.

What is not working nowadays?

Could we see the current Firewall Rule and the NAT Rule? 

DNAT looks fine. Firewall would be: SRC ANY , Destination GoogleDNS, Service DNS. That allows the traffic to flow. Zone will be your Server Zone, with the Ubuntu. 

What would be nice if the video actually showed the screens that are in production.

Ian

Hi LuCar Toni,

The issue I have is that the logviewer always shows the google dns address, it never shows the redirected address. So I keep thinking there is something wrong with my firewall and inked NAT but no matter what I change the result is always the same.

Ian