Hi,
after many years with a PIX 506 we decided to switch to Astaro (ASG-120). The GUI was more self-explaining than Ciscos', and most of all configuration was done without the need to read 1000-paged documents.
But now, after in-depth experience with ASG V7, I'm somehow disappointed. I don't know the "typical" customer of Astaro, but some in my eyes elemental features like negated network definitions (eg. "!192.168.5.0/24") are just missing.
Here's our problem:
We have a LAN (192.168.30.0), connected via IPSEC-VPN with a remote LAN (192.168.40.0).
On the WAN side, we have a small subnet with public IPs (let's call it 1.2.3.0/28).
We want to masquerade most of our LAN->WAN traffic with the external IP 1.2.3.2, but need that some specific LAN hosts masquerade as 1.2.3.3.
After having tried configuring this for several hours, I gave up.
Normal masquerading works fine, but doesn't allow us to use specific public IPs for specific LAN hosts.
SNAT might be a solution, but when building a rule like "SRC Any - DST Any - SNAT 1.2.3.2" also all VPN traffic got SNAT'd (which itself is correct, as I don't have a chance to say "SRC Any - DST !VPN - SNAT 1.2.3.2").
I don't really want to create a host group containing all world-wide networks except my VPN... [;)]
So dear Astaro guys, PLEASE (!!) add a way for negating addresses, and maybe also give some hints on how to configure SNAT/Masquerading with different public IPs.
My research showed that this is indeed an old topic not yet solved:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/38210
https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/38200
Or did I miss something?
Thanks & best regards
This thread was automatically locked due to age.
