Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 1760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to route to dmz when snatting everything to external

tuxi
Hi!

I'm experiencing the following problem:

- internal lan machine is fully snatted to the outside on external interface
- a dmz exists
- the snatted machine shows up on the machines in the dmz as if it is the asg

i.e. http apache log: 



213.240.213.240 - - [16/Aug/2011:09:22:44 +0200] "GET url-blabla HTTP/1.1" 200 442 "url-referrer-blabla" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0"


What I want is this: If the local lan machine accesses the dmz it show up with it's local lan ip instead of asg ip. 


192.168.80.200 - - [16/Aug/2011:09:22:54 +0200] "GET url-blabla HTTP/1.1" 200 442 "url-referrer-blabla" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0"


Any ideas on this?

Regards,
Michael


This thread was automatically locked due to age.
Parents
  • 0
    It's doing wht you've told it to do, based on that rule with ANY as the Traffic Destination.  Try using the Internet object instead, which is an Any rule, but bound to the external interface.

    Not certain why you need this SNAT rule, as a MASQ rule should handle this for all of your LAN systems.  You would then only need an SNAT rule if you wanted the source of an individual system to appear as a different/additional IP address.
Reply
  • 0
    It's doing wht you've told it to do, based on that rule with ANY as the Traffic Destination.  Try using the Internet object instead, which is an Any rule, but bound to the external interface.

    Not certain why you need this SNAT rule, as a MASQ rule should handle this for all of your LAN systems.  You would then only need an SNAT rule if you wanted the source of an individual system to appear as a different/additional IP address.
Children
No Data