Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 9030 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hair pinning rule in v16 issue

SimoneMontagnani

Hello all, thank you in advance for your advices,

 

I have some NAT web,ftp,mail Servers everyone with it's own public IP:

 

Server 1 public IP1 -> NAT -> DMZ-Server-IPaddress1

Server 2 public IP2 -> NAT -> DMZ-Server-IPaddress2

Server 3 public IP3 -> NAT -> DMZ-Server-IPaddress3

...

 

I use the hairpin rules for each server to enable public IP access between internal servers using public IP addresses.

The technique for each server is:

 

1) Create a Business Rule for inbound NAT traffic to the Server in DMZ enabling Reflexive Rule option.

2) Create a Business HAIRPIN Rule similar to the previous but with rewrite source address choosing from a dropdown menu where I found an automatic generated reflexive Rule object.

3) Create a user/network Rule for each server to enable outbound traffic like FTP HTTP SSH or other services I need to use in outbound direction IF I need specific server to be NAT with his public "personal" IP ( and not the Firewall external MASQ classic NAT) selecting the correct IP alias from the dropdown "Use Outbound Address" menu in the NAT & Routing "Advanced" section of the User/Network Rule, otherwise, if I want to use the reflexive rule, this server will never be allowed to generate his own traffic to the outside.

That said, after v16 upgrade I cannot find this aliases anymore, only in the User/Network Rules, while In the Business Rules everything is as usual.

Is there something I'm missing?

Any Ideas?

Simone

 

 

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Aditya Patel

    Hi Aditya Patel,

    What I want is to generate outbound traffic from a DMZ Server, with a specific public IP that I want, example:

     

    web server : public IP 111.111.111.10  DMZ IP 172.16.1.10 

    FIREWALL SOPHOS: public WAN IP 111.111.111.254

    I want to script an FTP from the web server to any FTP server on the internet and my public IP address must be 111.111.111.10 (WEB IP ) and not 111.111.111.254 ( MASQ FW IP )

     

    In attach a screenshot of the outbound address missing dropdown menu in the rule.

     

     

  • 0 in reply to SimoneMontagnani

    Hi SimoneMontagnani, 

    Here is the resolution to your problem  , 

    Step 1 Create a Rule based on services 1-> FTP and 2-> HTTP

    Step 2 Create a NAT policy  (same as a Alias address on Network interface)

    STep 3 Apply NAT and Route through Specific Gateway  

    Thanks and Regards

    Aditya Patel | Network and Security Engineer.