Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 7517 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT over MPLS to remote networl

Doug LaPlant

Hello, New Sophos users here.

 

I've got two sites connected by MPLS. One site has my internet connection, the other site has a server I want to allow traffic to from the internet. I've tried standard NATs and MASQ / firewall rules but not having any luck. From a host on the same site as my internet connection I can ping and telnet to the port on the other site, just not from the internet. Also NAT from internet to a local address and it worked fine.

 

Any help is greatly appreciated.



This thread was automatically locked due to age.
  • 0

    Hi,

     

    so the WAN-interface IP of your UTM is different from your public WAN-IP? (In your picture your UTM has 70.132 and you created a NAT rule for traffice to 70.133)

     

    Could you try creating a NAT rule for traffic from 70.132 and test it again?

     

    Regards,

     

    Ole

  • 0 in reply to Ole Heydt

    Hi Ole,

     

    The primary address is 70.132, 70.133 is an "additional address". the ISP provides a /28 (.128 - .142 if I recall correctly). I did try to use the primary address 70.132 as a testing step and still no good.

     

     

    Thanks,

    Doug

  • 0

    Hey, Doug.

    So, I take the branch site has no internet connection at all, right? Is the server 192.168.21.233 able to reach internet through the main site?

    I would bet the server 192.168.21.233 probably does not know how to reply to NATed packets from the internet.

    Regards,

    Giovani 

  • 0 in reply to giomoda

    Hi Giovani,

     

    You hit the nail on the head.

    The branch does not have other direct internet, there is however a third site where internet is going now (being replaced with this new site). I had setup the NAT as a DNAT instead of a full NAT and thus the traffic was not going back to the Sophos it was going out the other default route. would not have been in issue if internet was already moved over, but not working for the test that way.

     

    Anyway, we're all set. On to the next adventure!!

     

    Thanks,

    Doug

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML