Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 8341 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced NAT Config Help

Eric Bumpus

My ISP/Srv Software have me cornered (can't change SrcPort in Software and ISP refuses to pass traffic on port 123 to me so replies never return), my FW appears to be the only way out. I can't seem to figure out how to get the NAT statement I want/need into the XG. Maybe there is a secret menu or console command that unlocks full nat control or I am totally overlooking something.

What I want to do:

SrcInt LAN

SrcIP 10.0.0.1

SrcPort 123

DstInt WAN

DstIP NTPServers

DstPort 123

UDP

NAT TO

SrcInt WAN

SrcIP WAN_INT_IP

SrcPort 15000

DstInt WAN

DstIP NTPServers

DstPort 123

UDP

Getting the SrcIP to change I have down, I can't figure out how to manipulate the source port. Outbound Masq just modifies SrcIP, if there is an option to randomized SrcPort I would be golden. So my second tactic was to write a Business Rule of the above reversing things where I listen on WAN_IP:15000 and translate to 10:0.0.1:123. That rule only works if I initiate the packet from my WAN, it does not work if I initiate from my LAN in the the expected use case. It appears outbound the XG does not fully apply the business rule and the source port and traffic passes the business rule but leaves as WAN_IP:123 to NTPServers:123 instead of the WAN_IP:15000 to NTPServers:123 I was hoping for. I tried every combination of checkbox on the business rule of reflexive and masq to no luck.

Any Ideas? hopefully I am overlooking something simple.



This thread was automatically locked due to age.
  • 0

    Hi Eric, 

    In such scenario, it should work. I would check again the settings and from the information provided, you have 2 networks "Local and Branch networks".

    If the server if in the branch network and you are connecting from the local network. 

    The settings should be as follow.

    Local> ISP> remote

    Local : 

    Step 1 -Create a rule for port UDP/TCP 123 to Port XYZ and position it on the top of other rules.
    Step 2 -Create a NAT policy and add it to the rule as per step 1.

    Remote:

    Step 1 -Create a DNAT rule for port UDP/TCP 123 as Souce port is XYZ and destination port is 123 mapped to your internal server.

    If the setup does not work, you may take the tcpdump on both ends to check if the communication is an issue or not. 

    command : tcpdump 'port 123 and host <host address>

    Output: 

     

  • 0

    Update on Issue:

    After further review and testing it looks like my desired NAT config is not possible in Sophos XG, It appears you can do the above in the Sophos UTM with its NAT engine.

    Instead of disrupting my network and going to the UTM version I was able to find a software workaround to my NTP problem.

  • 0 in reply to Aditya Patel

    Sorry , but Eric is right. On XG Source port translation is missing. This is something possible with UTM (SNAT option). This is something missin on XG. Full NAT and SNAT are features that should be improved more than soon on XG.

    I am not talking about Nattinp IP but Port Translation (PAT).

    Check the difference with UTM and let us know.