Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 3931 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG18 SNAT to WAN Alias

Anthony Anderson

Hello, I am running version SFOS 18.0.1 MR-1-Build396

 

On the device:

WAN1 (Port2) is X.X.X.197

 

My client wants traffic from internal server 192.168.1.5 to communicate out to the web via X.X.X.195. 

X.X.X.195 is currently setup as an alias and is Port2:0

I tried to setup SD-WAN routing but the gateways only give me WAN1, WAN2, or link balanced. 

There already is a functioning DNAT rule forwarding traffic from X.X.X.195 to 192.168.1.5

How do I setup an SNAT where traffic from 192.168.1.5 uses X.X.X.195 to route traffic back out to the internet?  

 

Thank you in advance.



This thread was automatically locked due to age.
Parents
  • 0

    SD-PBR is for the Interface decision. (Which Interface should i use).

    (S)NAT is for the IP Level. (Which IP should i use?).

     

    XG Firewall is a stateful firewall. You need to configure it from the perspective of the initial packets. Who is building up the connection? This is the matching criteria for your SD-PBR and NAT Rule. 

  • 0 in reply to LuCar Toni

    Ok so BPR is not the choice to use. All outside connections connect to 192.168.1.5 via X.X.X.195. Where/How do I specify that's the route to return traffic? Right now they see it exiting X.X.X.197

  • 0 in reply to Anthony Anderson

    If a Client connects with .195 to 192.168.1.5, you need a DNAT Rule. This will NAT the traffic to the 1.5 and will route the reply traffic back to .195. 

  • 0 in reply to LuCar Toni

    Ok, that makes sense. How about traffic originating from 192.168.1.5 not in response to an external connection. They still want it using X.X.X.195.

  • 0 in reply to LuCar Toni

    I tried creating an SNAT rule in the picture below. Problem is, I dont want to use port 2, I want Port2:0 which is the alias X.X.X.195. Will this work the way it is? 

     

  • +1 in reply to Anthony Anderson

    NAT is applied one time to Traffic. 

    So if somebody tries to reach your XG, XG will apply NAT to this connection. Its session based = A talks to B. All packets by A and B will use the same NAT / Firewall rule for the entire session.

     

    If A is a Client in the Internet, he will try to reach .195 in the first place. 

    XG will have a DNAT, to forward Traffic coming to .195 to your internal Server (B). 

     

    All Packets coming and going by this session will use the same NAT and Firewall rule. So you do not have to apply NAT for this Session.

     

    If the Server (B) will try to reach A, you need a SNAT Rule, to tell XG, use SNAT (.195) for traffic outbound going to A. 

    About your NAT in your screenshot: This is correct, this SNAT will be used outbound, if your Server will initial a Session. Interface matching criteria are optional and consider the entire Interface (PortB in your example). 

     

     

    This is called Stateful. 

    https://en.wikipedia.org/wiki/Stateful_firewall

  • +1 in reply to LuCar Toni

    Thank you, I implemented the SNAT rule I created previously in the screen shot and it they are still being seen as X.X.X.197 on the outside when sending mail from 192.168.1.5. 

     

    I moved the rule to the top of the NAT list and they said they now see it as the .195 address. 

    Thanks. 

Reply Children