Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 642 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT and XG 86 - Transition from Cisco ASA's to Sophos XG 86.

steve leggatt

Hi,

New to the forum so if i'm asking a dumb question, please bear with me.

We've an HA pair of Sophos UTM 330s and we like them so much, we are looking to retire a few old little Cisco ASAs with XG 86s...

I'm in a bit of a bind, I need to quickly configure a XG 86 just to do a simple job, which is to NAT a single LAN address to a single Internet address (Inside to Outside and Outside to Inside), with firewall rules, that limit who (in the outside world) can connect to the LAN server (on 25, 80 & 443) and where the LAN server can connect to (on the outside world).

Within the Ciscos this would be a static 1 to 1 NAT rule, applied to the inside and outside interfaces.

As this is kinda quick and dirty, i was thinking of giving the XG 86 WAN port the ip address that i want to NAT (so that Masquerading would cover outgoing traffic) and then using a business rule to handle the WAN to LAN NAT. But i'm getting nothing through (though the logs says everything is fine. Have created a test environment, but still nothing.

It looks like there's been some work done on NAT between v17 and v18, so i'm going to see if i can upgrade the box, is there an idiots guide for NAT on the XGs?

Many thanks,

 

Steve

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Steve,

    Thank you for contacting the Sophos Community.

    For v17 please follow this link

    https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/concepts/policy.html

    For v18 we have this KB that points to our youtube video on examples on DNAT.

    But for example on v17 you can follow this example, this would only allow access to the Server with IP 192.168.15.10 to the Public IPs 189.186.41.242, 189.186.30.20, and 189.186.29.234

    If you want the Server to use the same Firewall rule to go outside you could use select the Create a reflexive rule, as you might notice I select Rewrite source address (masquerading) this is because my server has the Local Firewall enabled and won't respond to subnets not coming from its same subnet, so by selecting this option the server would see the Private IP of the XG as the one making the request, and thus reply to the packets.

    However, I would recommend you to create a separate Firewall rule like the following for this server

     

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

     

    I spoke with Sophos chat and they pointed me to the v18 firmware. I have installed v18 and read the NAT changes notes.

    the changes in v18 for NAT make a lot of sense and the v18 NAT video is worth its weight in gold!

     

    Thanks for your advice, i'm off to play with the XG before i put it into production.

     

    Kind Regards,

    Steve

     

Reply
  • 0 in reply to emmosophos

    Hi Emmanuel,

     

    I spoke with Sophos chat and they pointed me to the v18 firmware. I have installed v18 and read the NAT changes notes.

    the changes in v18 for NAT make a lot of sense and the v18 NAT video is worth its weight in gold!

     

    Thanks for your advice, i'm off to play with the XG before i put it into production.

     

    Kind Regards,

    Steve

     

Children
No Data