Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 19152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT

PasqualePolisi

I have some wan address and some server in DMZ, how I can DNAT the request FROM DMZ server to public ip on WAN without MASQ ?

Example WAN IP ADRESS 77.77.77.1 -> DMZ Adress 192.168.38.1 

request from 192.168.38.200 to 77.77.77.1 how I can DNAT to 192.168.38.1 ?

If I use MASQ the server 192.168.38.1 logs acess from out interface of firewall (ex.192.168.38.254) instead of ip address of 192.168.38.200

thanks



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to sachingurung

    77.77.77.1 is assigned to WAN interface of sophos xg firewall, there's a rule that NAT this address to internal DMZ server 1 with ip 192.168.38.1, when server 2with ip 192.168.38.2 try to contact server 2 through WAN ip 77.77.77.1 assigned to sophos, the rule MASQ the packet with out interface of firewall, I want that server 1 can comunicate with server 2 through wan ip without masquerade with a DNAT rule.

  • 0 in reply to PasqualePolisi

    Pasquale,

    If you have create a Business Application Rule where you have enabled access from WAN to DMZ, you can access the DMZ server using Public IP if inside the rule you remove "WAN" from source zone and you put any. At least it works if you access a LAN server using WAN address from inside.

  • 0 in reply to lferrara

    I have already tried this, but from inside WAN address (assigned to sophos) only work (strangely) if I enable MASQ on the rule coming from DMZ or LAN.

    This is an anomaly on how the rule must be create on xg firewall, I use currently other type of firewall (Fortigate, PFSense, Untangle...ecc...) without problems.

  • 0 in reply to PasqualePolisi

    Pasquale,

    address need to be changed (natted) because you are moving from one class ip to another. This is normal. Other vendor could masquerade the translation trasparently.

  • 0 in reply to lferrara

    true, but natted not masquerated, with MASQ the request arrive to server with "out" interface of firewall not with ip address of source server or lan client. This cause trouble in log and access filtering. Why I can't make a simply DNAT rule ?

  • 0 in reply to PasqualePolisi

    Enabling MASQ, the requests come from Firewall IP and not from original IP.

    You should access resources in the same network using the same subnet. Maybe you are trying to do that to filter traffic connections (RDP, SSH, SSL, etc...).

    Hope they will improve NAT into next release.