Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 17561 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG550 NAT - Not sure if it is working correcting

Zi Wei Tan

 Hi,

 

I wonder if I can get some help on doing a NAT for our Video Conferencing unit. I am new to the XG550 and had tried to find out how exactly its done but it does not seems to work. It would be great if anyone can advise on my setup and any help is greatly appreciated.

What I had tried to do is as follows:

- Add a new business application rule to the policy

- Rule Name: XT Desktop

- Source Host: Any

- Source Exceptions: <Empty>

- Hosted server Source Zone: WAN

- Hosted address: XT Desktop Public IP

- Protected Application Server Protected Zone: LAN

- Protected Application Server: XT Desktop Internal IP

- Forward all ports: ON

- Routing Rewrite Source address (Masquerading): ON

- Routing Use Outbound Address: XT Desktop Public IP

- IPS: None

- Traffic Shaping: None

- Log Firewall Traffic: ON

- Create Reflexive Rule: ON

- Security Heartbeat: OFF

Whenever I tried to connect to this desktop from external locations, the connection will not work. Hence now stuck and not sure how to proceed or troubleshoot on this.

Many thanks for any help and suggestions!

 

Tan



This thread was automatically locked due to age.
Parents
  • 0

    Tan,

    here the KB on how to DNAT an internal server:

    https://community.sophos.com/kb/en-us/122976

    Untick the create a reflexive rule and Routing Use Outbound Address: XT Desktop Public IP. For the outbound create a rule manually and see if everything works correctly.

    Regards

  • 0 in reply to lferrara

    Hi ,

     

    Many thanks for your reply and much appreciated.

     

    I saw the KB before but I do not know why when i create the Business Application Rule, I do not have the option to choose DNAT/Full NAT/Load Balancing. Hence, I choose to create the rule based on "Non-HTTP based Policy". This should be fine? 

    For the outbound rule, this is to create a "User/Network Rule" to allow the XT Desktop Internal IP to go to WAN?

     

    Lastly, if I removed the "Routing Use Outbound Address: XT Desktop Public IP" and set it to MASQ, it will always default back to the WAN Port IP. The WAN port IP is different from the XT Desktop Public IP and hence, not sure whether this will route the traffic to the PC?

    I am a newbie on this so many thanks for your help.

    Tan

  • 0 in reply to Zi Wei Tan

    Tan,

    what version of Firmware are you running? I suspect you are still on v15.

    Regards

Reply Children
  • 0 in reply to lferrara

    Yes Luk, you are right. I am still on v15.01. I am trying to download v16 and was asked to wait for verification before doing so. Will v16 do better as I had saw some posts pertaining to issues on the firmware?

     

    Tan

  • +1 in reply to Zi Wei Tan

    Tan, v16.05 MR-3 (latest one) is more stable and complete than v15. Upgrade to it and then follow the KB.

  • 0 in reply to lferrara

    Hi Luk,

    I managed to upgrade one unit of the XG to v16.05 MR-3 but encountered some issues with the application filter as well as the HA portion. Nevertheless, I will sort out these issues but still need advice on how to configure the rule. I can get the DNAT Business Rule in place but it seems like I am not able to select a list of ports to be used. I got a list of ports and port range to open for this particular desktop but it seems like I can only enter specific port instead of selecting a Service group.  Is there any way to use a Service Group instead? My list of ports that need to be open include 1024-65535 (UDP), TCP 3336, TCP 3337 etc. 

    Thanks for your advice!

    Tan

     

  • 0 in reply to Zi Wei Tan

    Tan,

    with v16 is not possible either. This feature is planned for v17. You have to use port numbers.

    Regards