Nat Rule 0

Hi,

the answer is very simple, the ones that don't do not meet any of the firewall rule requirements. I don't understand why you are doing this through NAT rules rather than firewall rules with user selection policies?

Ian

I cannot use user selection policies as two specific departments have to use a different ISP from other departments. so on the initial NAT the source was ALL. On the new NAT rules the source are the respective subnets achieved by using the host feature. The firewall rules remain the same as the only thing that changes is the source parameter and the outbound interface on the NAT rules.

Hi,

well some of your Nat rules are not being met. I suggest you review the sd-wan and see f that might help, also you might try using the user selection process and create seperate rules for each department, further you could also investigate linked rules.

though ultimately you will need to refine your firewall rules for improved management.

ian

Hi this is a screenshot from the log viewer the traffic goes through firewall rule #22 and is allowed but then gets a NAT 0. A different PC same network settings goes through firewall rule #22 but gets the correct NAT rule and gets internet. I really just dont understand this. some PCs work some dont work. When I revert to my old NAT settings traffic goes through firewall rule #22 and all the PCs get internet.

Hi,

please check the ip range of the failing devices.

ian

so the two departments have 2 different subnets both are slash 24s. I have created hosts to cater for these subnets and then have these hosts as the source of the NAT rules. I hope I have responded accurately to your comment.  

Hello David,

Thank you for contacting the Sophos Community.

Adding to what rfcat mentioned, please add a screenshot of your NAT rules, that shows the translation settings and the interface matching criteria.

Regards,

Hi Emmanuel please find the screenshots attached. The first one is my initial NAT. The last 2 are the NATs after splitting the departments to use different ISPs

Hi Emmanuel please find the screenshots attached. The first one is my initial NAT. The last 2 are the NATs after splitting the departments to use different ISPs

Hello there,

Thank you for the screenshots, the configuration seems to be correct.

Please also share the Matching Firewall rule for this traffic, and do you have any Static route configure?

Regards,