Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 18615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Full NAT a /24 network?

BarryG
I need to setup our new firewall at a co-lo with one of our /24 networks, but have been ordered to NAT it to a 10.x.x.x internal network... [[[:(]]]

I would rather not do NAT, but I don't have a choice.

I am under the impression that I need to do the following:

1. have the ISP use 1 of our IPs for their router

2. setup the external interface with an IP on the real Class C network

3. setup another 253 or so "additional addresses" on the external interface
[[[:(]]]

4. setup the 10.x.x.x network on the internal interface

5. setup "Full NAT" for all 253 or so IPs 
[[[:(]]]


Am I right?
Is this the only and easiest way?

Are there any shortcuts for #3 and #5? e.g., is there a way to setup a block or subnet for "Full NAT" or "Additional Addresses" without having to do 1 at a time?
I remember some other firewalls having ways to NAT entire ranges (internalexternal) at once.

The Astaro docs indicate that you can put a network into the NAT source or dest, but will it be a 1-1 mapping?
I'm guessing I couldn't do the whole /24 though because of the external IP, but a /25 should work, right?

As mentioned, NAT is a company requirement, so please no arguments about that.

Thanks,
Barry


This thread was automatically locked due to age.
Parents
  • 0
    The ISP is giving us a /30 to route our traffic, so I believe the firewall can have an address on that network, and/or our /24.

    Barry
  • 0 in reply to BarryG
    Barry, I feel like you know a lot more about this stuff than most of us here, so I'm taking a chance that I won't sound too ignorant...

    I thought you could set up full NAT on the DNAT/SNAT tab, and that it would work with networks instead of just individual IPs.  Have you tried that and determined that it doesn't work?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    PM Sent.

    FWIW, I think the process you list is the way this would have to be handled... but why do they require a NAT (or do they care to explain themselves)?  Are they doing PAT (Masquerading) in front of all this?

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to BAlfson
    PM Sent.

    FWIW, I think the process you list is the way this would have to be handled... but why do they require a NAT (or do they care to explain themselves)?  Are they doing PAT (Masquerading) in front of all this?

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
  • 0 in reply to BrucekConvergent
    Barry, I feel like you know a lot more about this stuff than most of us here, so I'm taking a chance that I won't sound too ignorant...

    I thought you could set up full NAT on the DNAT/SNAT tab, and that it would work with networks instead of just individual IPs.  Have you tried that and determined that it doesn't work?


    Bob, I tried (on my home ASL 7.380) to do a Full NAT, and add two networks as the source and dest, but it told me that was invalid.


    PM Sent.
    FWIW, I think the process you list is the way this would have to be handled... but why do they require a NAT (or do they care to explain themselves)?  Are they doing PAT (Masquerading) in front of all this?


    Bruce, our Corporate policy says all networks, including DMZs, must be NAT'd. Part of it has to do with PCI (and maybe SOX), but they're requiring it even for networks which are not in PCI scope.

    On the corporate LANs, they're doing PAT, and on the DMZs, they're doing 1-to-1 NAT ("STATIC", iirc).

    Thanks,
    Barry
  • 0 in reply to BarryG
    Oh, the way I read it (with you mentioning a CoLo) was that the ISP was forcing you to use NATted addressing... this is your corporate WAN that you are hooking into..  I get it.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Corporate is forcing us to NAT everything at the Co-Lo.

    We will be setting up a VPN between them, but they're requiring it even if we didn't.

    Barry
  • 0 in reply to BarryG
    I'm still having a hard time understanding "Full NAT"... 

    What I have:
    Internal Network: 10.10.10.0/24
    External Network: 1.2.3.0/30
    External IP: 1.2.3.2

    Routed Network: 42.42.42.0/24
    This is routed to our external IP, and is working.

    Webservers, smtp, etc are on internal network


    What I want:
    1. Internet traffic to be NATted to the internal servers. e.g.
    42.42.42.20 goes to 10.10.10.20
    So far, I am only able to do this with DNAT.

    2. Outgoing traffic to use the matching external address
    e.g.
    10.10.10.20 appears to be 42.42.42.20
    10.10.10.21 appears to be 42.42.42.21


    I assumed that FULL NAT would accomplish both #1 and #2 with a reasonable number of NAT setups. 
    Am I right?
    If not, do I have to do a DNAT AND a SNAT for each server?

    If Full NAT will work, how do I set it up? There are 2 sources and 2 destinations to set, and I don't know what to put in them.


    I took a PIX class long ago, and from what I remember, you could do both #1 and #2 with a "Static network translation". I think you could even do a static for a whole private network.

    Thanks,
    Barry
  • 0 in reply to BarryG
    I have the same confusion here as to what to put in each fields to setup the full NAT.
  • 0 in reply to liug
    Since writing here, I've learned that you'd need to do BOTH a DNAT and an SNAT to acheive this.

    Barry
  • 0 in reply to BarryG
    Thanks for the follow-up Barry.  Great info!
  • 0 in reply to eganders_01
    Also see Gert's post here:
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/20441

    That sounds like it'd help with what I was trying to do, at least.

    Barry
  • 0 in reply to BarryG
    Since writing here, I've learned that you'd need to do BOTH a DNAT and an SNAT to acheive this.

    Barry


    Doing both DNAT and SNAT will definitely achieve this, but I thought full NAT was there as an easier way to do this, or are you saying full NAT is for some other purposes?
  • 0 in reply to liug
    Yes.  Full NAT "broadcasts" your internal IPs and is useful when these IPs are in a public range.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner