Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 5224 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

for a server is it better to masquerade or use SNAT if you have multiple statics through a single ISP?

JasonIstre

So lets say you have a range of public static IPs from a single ISP, lets call these x.x.x.a through x.x.x.z.   Now you have a bunch of users and servers in different /24 vlans, but all can be summerized as 10.10.0.0/16.  So you create a MASQ rule that 10.10.0.0/16 uses x.x.x.a.    Now you have some servers, for example, 10.10.1.20 that you DNAT port 443 from x.x.x.b, and 10.10.2.30 that you DNAT some random app ports for x.x.x.c.   When those servers connect to things externally you want the sources to not show be x.x.x.a, but x.x.x.b, and x.x.x.c respectively.  

Should MASQ rules be created for each server, or rather SNAT?  Surely not Full NAT, right?



This thread was automatically locked due to age.
  • 0

    Depends where you want the outgoing to come from ie you can have multiple DNAT IP's but outgoing can just be one IP.

    Don't think there is a hard and fast rule about it.

  • +1

    Sometime over the last few years, Sophos added the ability to do this with masquerading.  They did this by making the list of masq rules an ordered list.  Just like all ordered lists in the UTM, when traffic qualifies for a rule, no further rules in the list are considered.

    You can do it either way but I think it makes for a more-elegant configuration to do it with Masquerading.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob, that was specifically the answer I was looking for.   It does seem to be more elegant with Masquerading and I could eliminate all these SNAT rules.  I just wanted to make sure by doing that I wasn't breaking something or using it improperly.  Like any pros or cons, or performance impact.... but seems equal I guess?

     

Unfiltered HTML