DNS NAT

Hi Roman,

let us examine what your are trying to do. NAT all DNS traffic, very good, but your firewall/NAT rule does not allow ping to your test will fail.

If you want to test your DNS rule using ping you will  need to add ping to it.

Ian

Sure, Ive been testing it adding ping to NAT policy - no positive result. "Request time out" ;)
So i should get responds while im pinging 8.8.8.8 Am I right ? Cuz with NAT implemented in XG i got a little bit confused ^^

Hi Roman,

you will also need the ping in the firewall rule.

A copy of my NAT rule, there is also a KBA on this subject.

Ian

So you are using this policy to NATing DNS traffic ? As I want ? -> if so its VERY weird from logical perspective as Sophos named it ^^

There is something wrong with my firewall rule. I changed it a week ago and since then it not working.

Now that you raise that question, the logviewer shows the traffic as still going to 8.8.8.8 even after going through the NAT rule.

I need to find the original document that I built the rule using that configuration.

Ian

Ok, well ill also try figure out how to solve it. But look a thos Video.

There is a short time where he shows how to do it.

FROM 5:30

Thank you for finding that video, that was part of what I was referring to and there should be a document showing step by step as shown in the video.

I think I saw it in the EAP which is no  longer accessible. I am seeing the redirects, just not the translation.

Hopefully one of the Sophos support staff will assist.

Ian

Hi Regex 

This will provide you more info - https://community.sophos.com/products/xg-firewall/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18 and let me tag LuCar Toni to share his expertise on this.

What is not working nowadays?

Could we see the current Firewall Rule and the NAT Rule? 

DNAT looks fine. Firewall would be: SRC ANY , Destination GoogleDNS, Service DNS. That allows the traffic to flow. Zone will be your Server Zone, with the Ubuntu. 

What would be nice if the video actually showed the screens that are in production.

Ian

Hi LuCar Toni,

The issue I have is that the logviewer always shows the google dns address, it never shows the redirected address. So I keep thinking there is something wrong with my firewall and inked NAT but no matter what I change the result is always the same.

Ian

But the redirect works fine, isnt it? 

If you can confirm this, we could actually figure out, what is wrong with this. But i assume, i already know what is going on in this process and think, this will be fixed in the future (Major Release). 

But the redirect works fine, isnt it? 

If you can confirm this, we could actually figure out, what is wrong with this. But i assume, i already know what is going on in this process and think, this will be fixed in the future (Major Release). 

Hi LuCar Toni,

the firewall rule, the NAT rule and the logviewer details.

The above might help to understand my confusion?

Ian

But you are not redirecting the DNS to anything? 

I would have thought the NAT rule was redirecting the traffic to the internal interface/DNS of the XG? Or at least that was my understanding from the webcast.

I can find reference but not details of the KBA.

Ian

These are my settings.

Fo my guess it should working but its not ;)