Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 969 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is NAT Broken in XG 18 MR2?

Gary Martin

Hi,

I have downloaded Sophos XG for home use.  I am having issues with inbound NAT.  As a home user I only have a single external IP, but I cam trying to PAT a service back into the network.

I have tried doing this manually and with the Server Access Assistant.  Neither get the traffic through.

With the entries created by the Server Access Assistant I get no hits on NAT rule and nothing registered i FW logs for access attempt.

If I change the NAT rule from PAT to a specific service to 'Any' then I start to hit the NAT rule but it wont hit the FW Rule.  This is pretty useless anyway as PAT should allow multiple destinations and if I set to any then the DNAT destination basically becomes a DMZ host.

I am hopeful it is just broken and the magical mystery MR3 will fix it.  Otherwise I'll have to ditch it and trying something else because it's not working like it should.

Examples:

Setup
Port1:DHCP WAN
Port6:LAN (192.168.1.1)

WebServer: 192.168.1.2

NAT Rule

Original Source:  Any
Original Destination: Port1
Original Service: http

Translated source [SNAT]:  Original
Translated destination [DNAT] : WebServer
Translated service [PAT]: Original

Interface matching criteria
Inbound interface: Port1
Outbound interface: Any

FW Rule
Source Zones: WAN
Source Networks and devices: any
Desintation zones: LAN
Destination networks: Port1
Services: http



This thread was automatically locked due to age.
Parents
  • +1

    Hello Gary,

    Thank you for contacting the Sophos Community!

    Your NAT rule looks correct.

    Can you try just as a test (you shouldn't need to do this) but change the PAT (Original) for the HTTP port. 

    Regards,

  • 0 in reply to emmosophos

    Hi,

    I have found the issue by setting additional logging.

    My traffic is being blocked by Appliance Access rule.  Seems like because I only have one WAN address it is applying the Local ACL rules to my inbound traffic on the NAT rule.  

    Message ID 02002

    I looked at the admin settings and there is no way to add an acl for a custom service.  Does this mean the product doesn't work when you only have a single WAN address?

Reply
  • 0 in reply to emmosophos

    Hi,

    I have found the issue by setting additional logging.

    My traffic is being blocked by Appliance Access rule.  Seems like because I only have one WAN address it is applying the Local ACL rules to my inbound traffic on the NAT rule.  

    Message ID 02002

    I looked at the admin settings and there is no way to add an acl for a custom service.  Does this mean the product doesn't work when you only have a single WAN address?

Children