Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 4 subscribers
  • Views 16094 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How should a Cisco guy relate to UTM NAT? Scenario & a couple of questions

KrisJacobs

I've been working for a few weeks now porting over config & function from Cisco ASA and PIX to our new Sophos SG330 running UTM v9.406-3.

We have a /27 block of public IPs.

I've been doing a lot of reading today about NAT on UTM.  I've got an interface on the SG 330 labelled as OUTSIDE.

I have one of my public IPs bound to OUTSIDE.

On this Masquerading tab, OUTSIDE is set as what I would call the "global" or "overload" NAT - everyone inside accessing the Internet appears to come from this one IP.

I guess in the context of UTM, you could also call that Many-To-One SNAT.

I have the rest of my public IPs setup as Additional Addresses on OUTSIDE.

I understand that I can use DNAT for inbound from internet to PublicIP thru UTM to PrivateIP.

Then I can use SNAT so that PrivateIP thru UTM shows up to the world as PublicIP - instead of the "global" or "overload" NAT defined in Masquerading.

I think I have it setup correctly for:

DNAT:  Inbound SMTP to public IP assigned to Barracuda Spam Firewall's private IP.

SNAT:  Outbound all protocols from Barracuda's private IP to the internet via that same public IP.

DNAT:  Inbound HTTP/S to public IP assigned to Exchange server private IP.

SNAT:  Outbound SMTP from Exchange server private IP.

See screen captures:

Now, based upon the above configuration, I think I can draw the following conclusions:

1.  All inbound traffic from the Internet to the Barracuda's public IP will be blocked, except SMTP which will be forwarded in to the Barracuda's private IP.

2.  All outbound traffic from the Barracuda's private IP to the Internet is allowed, and it will show up as sourced from the Barracuda's public IP.

3.  All inbound traffic from the Internet to the Exchange server's public IP will be blocked, except HTTP/S which will be forwarded in to the Exchange server's private IP.

4.  All outbound traffic from the Exchange server's private IP to the Internet will appear to come from the OUTSIDE IP as defined in Masquerading, EXCEPT SMTP which will appear to come from the Exchange server's public IP.

Are my conclusions correct?

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Kris, and welcome to the UTM Community!  You're right, there is a culture cliff to climb. [;)]

    "I have one of my public IPs bound to OUTSIDE." - The primary IP is bound to a NIC by using it as the IP in the Interface definition.  Other IPs are bound to a NIC by putting Additional Addresses on the Interface as you've noted.  For regular Network definitions, be careful that you don't violate #3 in Rulz.

    "... you could also call that Many-To-One SNAT" - The basic difference between SNAT and Masquerading in the UTM is that Masquerading is always the last thing done before the packet leaves.  Note that the Web proxy and SNAT rules take priority, so these packets aren't subject to Masq.  You got that right, too.

    Most of us would not use "Any" in a Masq rule.  If you wanted to masq traffic from SSL VPN clients, for example, from their own "SSL VPN" IP, our culture would want 'Internal (Network) -> OUTSIDE' and 'VPN Pool (SSL) -> Outside [SSL VPN]' instead of an SNAT for the VPN clients.

    I'm not sure what your "INTERNET ANY" Network Group is doing in your NATs.  It's likely that you only need the "Internet" object in those rules.

    Your current configuration will do what you want.  I just wanted to impart a vision of the habits of those of us that have done UTM often and for a long time.

    Excellent work and introductory post!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Awesome, thank you Bob!  I have read A LOT of your posts here, including Rulz.  Thank you so much for your advice & insight!

    I think I should have included another bit about our infrastructure, all the private networks on the WAN are Ten-Dot.
    Everything comes back to the core Layer 3 switch here in my building.  All routes are static and defined in this switch.  Once I'm ready I'll cut over the default route.
    Currently:  ip route 0.0.0.0 0.0.0.0  CiscoInsideIP.  When I'm ready to cut over to the UTM, I'll change that to UTMInsideIP

    BAlfson said:
    The basic difference between SNAT and Masquerading in the UTM is that Masquerading is always the last thing done before the packet leaves.  Note that the Web proxy and SNAT rules take priority, so these packets aren't subject to Masq.  You got that right, too.

    Ah, OK.  Good to know.  One thing I'm really looking for is a clear description of UTM's "Order of Operations".  Specifically the processing order for Firewall and Proxy.  EDIT:  Rule #2 explains Ops Order nicely.  Thanks again Bob.  =)

    When you say "Web Proxy" are you talking about Webserver Protection?  In the context of SNAT, it would seem so.  Webserver Protection was the first thing I "fell in love" with on the UTM.  I have done reverse proxying from internal web servers to the internet with an intermediate IIS server dedicated to reverse proxying, and it was a complete pain in the ass to configure.  I love UTM's implementation, so easy!

    BAlfson said:
    Most of us would not use "Any" in a Masq rule.  If you wanted to masq traffic from SSL VPN clients, for example, from their own "SSL VPN" IP, our culture would want 'Internal (Network) -> OUTSIDE' and 'VPN Pool (SSL) -> Outside [SSL VPN]' instead of an SNAT for the VPN clients.

    I think I follow you.  As is, everyone on the private WAN accesses the Internet and appears to come from the IP address bound to the OUTSIDE interface.  As you describe above, users on the internal private WAN access the internet from PublicIP-A, but remote users VPN in, then their internet access is piped out via PublicIP-B, which is defined as the SSL-VPN Additional Address on OUTSIDE.  Right?

    Aha! I think I know exactly why I will need to tweak my Masqerading config, this is the way I have the Cisco stuff setup now:
    Employee computers access the Internet & appear to be coming from PublicIP-A.
    Guest Wifi Internet access appears to be coming from PublicIP-B.

    BAlfson said:
    I'm not sure what your "INTERNET ANY" Network Group is doing in your NATs.  It's likely that you only need the "Internet" object in those rules.

    I created that Group so I don't have to worry about my OCD when it comes to IPv6.  =)

    ____________________________
    Kris Jacobs
    Network Administrator
    Calhoun County IT Department
    Battle Creek, Michigan   USA

Reply
  • 0 in reply to BAlfson

    Awesome, thank you Bob!  I have read A LOT of your posts here, including Rulz.  Thank you so much for your advice & insight!

    I think I should have included another bit about our infrastructure, all the private networks on the WAN are Ten-Dot.
    Everything comes back to the core Layer 3 switch here in my building.  All routes are static and defined in this switch.  Once I'm ready I'll cut over the default route.
    Currently:  ip route 0.0.0.0 0.0.0.0  CiscoInsideIP.  When I'm ready to cut over to the UTM, I'll change that to UTMInsideIP

    BAlfson said:
    The basic difference between SNAT and Masquerading in the UTM is that Masquerading is always the last thing done before the packet leaves.  Note that the Web proxy and SNAT rules take priority, so these packets aren't subject to Masq.  You got that right, too.

    Ah, OK.  Good to know.  One thing I'm really looking for is a clear description of UTM's "Order of Operations".  Specifically the processing order for Firewall and Proxy.  EDIT:  Rule #2 explains Ops Order nicely.  Thanks again Bob.  =)

    When you say "Web Proxy" are you talking about Webserver Protection?  In the context of SNAT, it would seem so.  Webserver Protection was the first thing I "fell in love" with on the UTM.  I have done reverse proxying from internal web servers to the internet with an intermediate IIS server dedicated to reverse proxying, and it was a complete pain in the ass to configure.  I love UTM's implementation, so easy!

    BAlfson said:
    Most of us would not use "Any" in a Masq rule.  If you wanted to masq traffic from SSL VPN clients, for example, from their own "SSL VPN" IP, our culture would want 'Internal (Network) -> OUTSIDE' and 'VPN Pool (SSL) -> Outside [SSL VPN]' instead of an SNAT for the VPN clients.

    I think I follow you.  As is, everyone on the private WAN accesses the Internet and appears to come from the IP address bound to the OUTSIDE interface.  As you describe above, users on the internal private WAN access the internet from PublicIP-A, but remote users VPN in, then their internet access is piped out via PublicIP-B, which is defined as the SSL-VPN Additional Address on OUTSIDE.  Right?

    Aha! I think I know exactly why I will need to tweak my Masqerading config, this is the way I have the Cisco stuff setup now:
    Employee computers access the Internet & appear to be coming from PublicIP-A.
    Guest Wifi Internet access appears to be coming from PublicIP-B.

    BAlfson said:
    I'm not sure what your "INTERNET ANY" Network Group is doing in your NATs.  It's likely that you only need the "Internet" object in those rules.

    I created that Group so I don't have to worry about my OCD when it comes to IPv6.  =)

    ____________________________
    Kris Jacobs
    Network Administrator
    Calhoun County IT Department
    Battle Creek, Michigan   USA

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?