Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 1177 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Replace ASA with XG Twice NAT

RA2500

Hello

I'm new to sophos xg firewall. We have purchased XG210 to replace our ASA firewall.

Most of the NAT rules on ASA are Twice NAT..Like this:

nat(inside,DMZ) source static OBJ-10.10.10.11 OBJ-172.21.1.20 destination static OBJ-10.2.2.60 OBJ-172.16.10.160

nat(inside,DMZ) source static OBJ-10.10.10.11 OBJ-172.21.1.20 destination static OBJ-10.2.2.66 OBJ-172.16.10.166

nat(inside,DMZ) source static OBJ-10.10.10.11 OBJ-172.21.1.20 destination static OBJ-10.2.2.61 OBJ-172.16.10.161

as you can see the first part (source static OBJ-10.10.10.11 OBJ-172.21.1.20) is the same for all rules but the second part is different.

How can I apply this on XG?

And another question: if i have a static 1 to 1 NAT rule like this 

nat(inside,DMZ) source static OBJ-10.10.10.27 OBJ-172.21.1.33

On ASA: this rule (static NAT) allows bidirectional connection initiation, both to and from the host

I've defined a NAT rule in Sophos and specified the original IP, the translated IP, the inbound interface (LAN) and the outbound interface (DMZ)

so my question is: does this rule on Sophos allow bidirectional connection initiation same as in ASA?

 

Thank you very much in advance

Rana



This thread was automatically locked due to age.
Parents
  • 0

    Hello Rana Akel,

    If your Sophos XG 210 is running on version 18 then,

    1.) You can achieve the required configuration by creating 1 SNAT (source static OBJ-10.10.10.11 OBJ-172.21.1.20) )rule and 3 DNAT rule for second part.

    2. For static NAT(1:1) bidirectional connection initiation, both to and from the host, while creating DNAT rule, tick option "create reflexive rule".

    Please refer below guide for more details regarding Inbound and Outbound interfaces:

    Inbound interface:

    Select the interfaces through which traffic specified in this rule enters XG Firewall.

    For destination NAT, you can specify Any.

    For VPNs, set this interface to Any, since VPNs are not interfaces.

    Outbound interface:

    Select the interfaces from which traffic specified in this rule exits XG Firewall.

    For VPNs and for destination NAT rules that translate public IP addresses to private IP addresses, set this interface to Any.

    For more details:

Reply
  • 0

    Hello Rana Akel,

    If your Sophos XG 210 is running on version 18 then,

    1.) You can achieve the required configuration by creating 1 SNAT (source static OBJ-10.10.10.11 OBJ-172.21.1.20) )rule and 3 DNAT rule for second part.

    2. For static NAT(1:1) bidirectional connection initiation, both to and from the host, while creating DNAT rule, tick option "create reflexive rule".

    Please refer below guide for more details regarding Inbound and Outbound interfaces:

    Inbound interface:

    Select the interfaces through which traffic specified in this rule enters XG Firewall.

    For destination NAT, you can specify Any.

    For VPNs, set this interface to Any, since VPNs are not interfaces.

    Outbound interface:

    Select the interfaces from which traffic specified in this rule exits XG Firewall.

    For VPNs and for destination NAT rules that translate public IP addresses to private IP addresses, set this interface to Any.

    For more details:

Children
  • 0 in reply to Hardik_R

    Hi 

    I am running on version 18..

    and Thank you so much for your answer

    but just to be sure...this rule:

    nat(inside,DMZ) source static OBJ-10.10.10.11 OBJ-172.21.1.20 destination static OBJ-10.2.2.60 OBJ-172.16.10.160

    translate both the source and destination of the same packet heading from LAN Network (10.10.10.0) to DMZ network (10.2.2.0) 

    and it is also bidirectional  

    if I use 1 SNAT rule and 3 DNAT, is this gonna do the same?

    or should I use all 4 fields (original source, translated source, original destination, translated destination) in one rule (Full NAT) and a second full nat rules beacuase the ASA rule was bidirectional? 

  • +1 in reply to RA2500

    For nat(inside,DMZ) source static OBJ-10.10.10.11 OBJ-172.21.1.20 destination static OBJ-10.2.2.60 OBJ-172.16.10.160

    As far as I understood the above statement, it is for traffic going from 10.10.10.11(original source) to 10.2.2.60 (actual destination) and in between traffic will be NATed (SNAT and DNAT)

    so initially packet will have source as 10.10.10.11 and destination as 172.16.10.160 and SNAT will change source from 10.10.10.11 to 172.21.1.20 and DNAT will change destination 172.16.10.160 to 10.2.2.60.

    If this is the case then you can also try NAT rule as below:

     

    As I said previously, for bidirectional rule to work, simply enable tick on "create reflexive rule"

  • 0 in reply to Hardik_R

    thank you Hardik_R 

    You have been a great help!