Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 9135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network Rules and 1-1 NAT

DavidPeterson

So... after wasting a few hours trying to decipher the scattered info on 1-1 NAT and the various firewall rule options, it appears that only Business Application rules will work.  The description of the Network rule for use when "you want to control traffic by source, service, destination, zone" (administrator's guide) is not accurate or complete.  If you do this you can make the traffic go out on the desired public IP, but the firewall does not accept the return on that IP.  Am I missing something? There is no reflexive option for network rules but you'd think based on the described use that would at least be the default behavior.  This has been very frustrating.  In addition to all the problems with the GUI things just don't make a lot of sense.  Why does the network rule option even exist?



This thread was automatically locked due to age.
Parents
  • 0

    I am new to Sophos as well after many years of experience in Cisco PIX/ASA, Fortinet, Watchguard, Sonicwall, etc.

    I am running both SG/UTM Home Firewall license, and a latest trial of XG in VM.

     

    I am working out all difference test and try to get 1:1 NAT (whole network) or (subnet to subnet translation).

    I can dig out up to Network Rule with Rewrite source address (Masquerading) feature, and associate to the NAT policy. But this is for single mapping more than subnet/range to subnet/range.
    The NAT policy can define IP or IP range, but no more. Also, if I used a range as mapped IP, the result is the source range in same size would be translated to the mapped range in round robin.

    Went back UTM and configure it like a piece of cake, even if I need to use "network" object but not "range".
    So far very disappointed on XG experience. Very likely I would give it up and spend the time and effort on UTM testing.

  • 0 in reply to Stephen Chan

    On iptables, 1:1 NAT requires both a sNAT and a dNAT rule.  
    So imho , you need both a user and a business application rule for 1:1 NAT

Reply Children
  • 0 in reply to sixteen again

    It is not a problem if need both user/network rule (outbound) and application rule (inbound), but when people need to translate a range or classless subnet from DMZ  (private IP) to Public (public IP), XG OS does not support it yet in V16. The OS is not mature yet. In the other side, SG/UTM are far much better in term of GUI speed, response, troubleshooting tool/live log, and all NAT scenario.