DNAT

Hi,

Please the link to configure DNAT i.e., Business Application rule in Sophos XG.

https://www.sophos.com/en-us/support/knowledgebase/122976.aspx

Thanks

This work from outside to internal DMZ, I want DNAT from DMZ to DMZ through WAN IP for example :

server1: 192.168.38.1 public ip 77.77.77.1

server2: 192.168.38.2

from server2 I want comunicate with server1 through public ip 77.77.77.1

Hi,

I am not sure but are you trying to access Server 1 hosted on IP Address 77.77.77.1 on Server 2 ? Correct me if I misunderstood. 

Thanks

77.77.77.1 is assigned to WAN interface of sophos xg firewall, there's a rule that NAT this address to internal DMZ server 1 with ip 192.168.38.1, when server 2with ip 192.168.38.2 try to contact server 2 through WAN ip 77.77.77.1 assigned to sophos, the rule MASQ the packet with out interface of firewall, I want that server 1 can comunicate with server 2 through wan ip without masquerade with a DNAT rule.

77.77.77.1 is assigned to WAN interface of sophos xg firewall, there's a rule that NAT this address to internal DMZ server 1 with ip 192.168.38.1, when server 2with ip 192.168.38.2 try to contact server 2 through WAN ip 77.77.77.1 assigned to sophos, the rule MASQ the packet with out interface of firewall, I want that server 1 can comunicate with server 2 through wan ip without masquerade with a DNAT rule.

Pasquale,

If you have create a Business Application Rule where you have enabled access from WAN to DMZ, you can access the DMZ server using Public IP if inside the rule you remove "WAN" from source zone and you put any. At least it works if you access a LAN server using WAN address from inside.

I have already tried this, but from inside WAN address (assigned to sophos) only work (strangely) if I enable MASQ on the rule coming from DMZ or LAN.

This is an anomaly on how the rule must be create on xg firewall, I use currently other type of firewall (Fortigate, PFSense, Untangle...ecc...) without problems.

Pasquale,

address need to be changed (natted) because you are moving from one class ip to another. This is normal. Other vendor could masquerade the translation trasparently.

true, but natted not masquerated, with MASQ the request arrive to server with "out" interface of firewall not with ip address of source server or lan client. This cause trouble in log and access filtering. Why I can't make a simply DNAT rule ?

Enabling MASQ, the requests come from Firewall IP and not from original IP.

You should access resources in the same network using the same subnet. Maybe you are trying to do that to filter traffic connections (RDP, SSH, SSL, etc...).

Hope they will improve NAT into next release.