Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 19043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading and SNAT is not working with Additional addresses

AbdullahAmer

Hi,

We have SG310 with latest updates installed. we have 5 public IP's from our ISP"X" and another 5 from ISP"Y", what i want to have is:

  • Our production network (eth0) will get out through (eth1) ISP"X" with a public IP(1)
  • Our Mail Exchange server (eth0) will get out through (eth1) ISP"X" with a public IP(2)
  • Our FTP server (eth0) will get out through (eth1) ISP"X" with a public IP(3)
  • Our Guest network (eth4) will get out through (eth5) ISP"X" with a public IP(2) 
  • Site to Site VPN will be using eth6 and eth7 ISP"Y" IP(1)

The setup is :

  • eth0,eth4, eth6: Internal Network with different subnets
  • eth1,eth5, eth7 External Public IP with gateways
  • used the uplink balancing for the three external interfaces and multipath rules to link each internal interface with its external as explained above
  • Exchange server public IP and FTP public IP used them through creating additional addresses linked with the eth1 and used Masquerading to use the additional address

Until now everything is working as it should except the Exchange and FTP (additional addresses) 

When i am testing using "what is my ip" at the exchange i got the main external IP and not the additional address that i used in Masquerading

Farther tests:

  • The Guest network (eth4,eth5) can not get out unless i create Masquerading rule
  • Masquerading with additional addresses working fine DNAT/SNAT also with guest network
  • The production network (eth0,eth1) can access the internet without Masquerading 
  • The VPN site network (eth6,eth7) can access the internet without Masquerading 
  • Both production network (eth0,eth1) and VPN site network (eth6,eth7) does not work with Masquerading with additional addresses

My feeling that there is something internal overriding my setting of the Masquerading with additional addresses related (eth0,1,4,5). or i am not sure if its relating to the interface or internal subnets i am using.

The SG310 will be replacing the old ASA one that we have now. both firewalls are connecting to the ISP's routers at the same time, could be the reason that i am using the same subnet in the both firewalls wile connecting to the same ISP router ? FYI i am testing on an unused public IPs and with a laptop connecting directly to the SG310

Kind regards,

Abdullah



This thread was automatically locked due to age.
Parents

  • > The production network (eth0,eth1) can access the internet without Masquerading

    > The VPN site network (eth6,eth7) can access the internet without Masquerading

    Given that your internal subnets are private IP space (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and the ISP's router is not natting for you that should not be possible.

    My guess is, that you have turned on "Web Protection" in "transparent" mode.

    Turn off "Web Protection" completly  and test your scenarios again.

    Kind regards,

    Matthias

Reply

  • > The production network (eth0,eth1) can access the internet without Masquerading

    > The VPN site network (eth6,eth7) can access the internet without Masquerading

    Given that your internal subnets are private IP space (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and the ISP's router is not natting for you that should not be possible.

    My guess is, that you have turned on "Web Protection" in "transparent" mode.

    Turn off "Web Protection" completly  and test your scenarios again.

    Kind regards,

    Matthias

Children
No Data