I can't for the life of me get SNAT to work - although it was working for a brief time yesterday. With Juniper it was quite straightforward - you create a mapped ip which is a 1:1 connection of an external ip to an internal one. Then you simply create firewall rules that allow the traffic into the external ip - and rules that allow traffic out from the internal ip (and that outbound traffic appears to be coming from the external ip, not the ip of the firewall itself). Simple.
Sophos is a bit more complicated. First we have to add the ip(s) as an additional ip address. OK, check.
1:1 Nat appears to be a whole other animal than what it sounds like, so we have avoided that. We set up our DNATs which, once you get used to weird restrictions on how UTM handles its address objects and what can go where, was straightforward enough - and working.
But SNAT doesn't seem to work at all now after initially working yesterday...
I created a SNAT for a server, let's say 192.168.1.5 with a target of "Internet IPv4" for service ANY - and its translation is set to be the additional ip address 8.8.8.5 (not real ips of course). For testing purposes I allow an automatic rule creation. The moment I enact this, the server becomes unable to route out to the internet. The weirdest part is that if I have a continuous ping already running - that ping continues to work! New pings to the same address also work! New pings to another address don't work. This is a real security issue as it seems the UTM holds onto activerules for a LOOOOONG time after those rules are changed/removed. Very strange.
Anyway, after reading these forums and spiceworks and finding a ton of conflicting information (and it becoming clear what a confusing mess NAT has been for UTM and how many changes there have been over the last 2-3 years adding to the confusion) I created a matching masquerade rule. This seem to have no effect. I've also tried just doing it with a masquerade rule and no SNAT. Same issue - traffic simply stops routing.
Really hope I'm doing something stupid and this will be an easy fix... Support (tier 1) was completely clueless and kept saying "it's a dns issue." That right there should tell you all you need to know about UTM support. Yikes!
This thread was automatically locked due to age.
