Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 17973 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading NAT?

Louis-M

We have a block of 16 ipv4 public addresses.

Our network has various LANS and a couple of DMZ's.

Our main DMZ has 4 servers sitting within it, each with it's own public ip natting to it.

How do you set up masquerading for this? Is it simply:

DMZ Server A > WAN (public address A)

DMZ Server B > WAN (public address B)

DMZ Server C > WAN (public address C)  etc etc



This thread was automatically locked due to age.
Parents
  • 0

    HI Louis,

    As per your query you would need to enable Proxy ARP on your appliance .  Kindly follow the steps to configure the same .

    Enable proxy arp on two interfaces with the same network mask and addresses

    for example: external interface (eth4) is 157.161.161.240/27
    and the host on which you want to connect is on the DMZ interface (eth5) with the ip 157.161.161.243
    in your case proxy arp has to be enabled on sysctl like this:

    sysctl -w net.ipv4.conf.eth5.proxy_arp=1
    sysctl -w net.ipv4.conf.eth4.proxy_arp=1

    Taken from Article . 115287

    https://community.sophos.com/kb/en-us/115287

    Thanks and regards 

    Aditya Patel 

    Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    I'm not sure that is what I'm after. I'll try and explain a little bit more.

    WAN (Primary) interface IP address 1.1.1.1/28

    WAN (additional addresses) 1.1.1.2 - 16

    DMZ interface address 192.168.1.1

    DMZ SERVER A (192.168.1.2)   >>> NATS to 1.1.1.2
    DMZ SERVER B (192.168.1.3)   >>> NATS to 1.1.1.3
    DMZ SERVER C (192.168.1.4)   >>> NATS to 1.1.1.4

    Do I simply put a masquerading rule in for each server eg:

    SERVER A masquerades to WAN additional address 1.1.1.2
    SERVER B masquerades to WAN additional address 1.1.1.3
    SERVER C masquerades to WAN additional address 1.1.1.4

  • 0 in reply to Louis-M

    Masquerading is not what you want here, Louis.  Just use an SNAT in each case.  A masq is really meant to be used for complete subnets.  I don't think there's any sequence you can count on with masq rules like you can with the rules on the 'NAT' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    thank for quick reply. Just to clarify:

    let's say you have 4 pc's & 1 server on a LAN (we'll call it internal)

    The wan has a block of 8 ip's with 1.1.1.1 as it's default (1.1.1.2 -5  as it's additional ip's)

    With a masqurading rule from LAN > WAN, all pc's would appear to come from 1.1.1.1

    If we add a server into the Lan and then DNAT into that server  so that 1.1.1.2 goes to the internal server, what ip address will the server reply on? 1.1.1.1  (the maqueraded nat for the internal lan) or 1.1.1.2?

    Or if you DNAT into a server eg 1.1.1.2 > 192.168.1.2, should you SNAT 192.168.1.2 > 1.1.1.2 as well?

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    thank for quick reply. Just to clarify:

    let's say you have 4 pc's & 1 server on a LAN (we'll call it internal)

    The wan has a block of 8 ip's with 1.1.1.1 as it's default (1.1.1.2 -5  as it's additional ip's)

    With a masqurading rule from LAN > WAN, all pc's would appear to come from 1.1.1.1

    If we add a server into the Lan and then DNAT into that server  so that 1.1.1.2 goes to the internal server, what ip address will the server reply on? 1.1.1.1  (the maqueraded nat for the internal lan) or 1.1.1.2?

    Or if you DNAT into a server eg 1.1.1.2 > 192.168.1.2, should you SNAT 192.168.1.2 > 1.1.1.2 as well?

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?