Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 17973 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading NAT?

Louis-M

We have a block of 16 ipv4 public addresses.

Our network has various LANS and a couple of DMZ's.

Our main DMZ has 4 servers sitting within it, each with it's own public ip natting to it.

How do you set up masquerading for this? Is it simply:

DMZ Server A > WAN (public address A)

DMZ Server B > WAN (public address B)

DMZ Server C > WAN (public address C)  etc etc



This thread was automatically locked due to age.
Parents
  • 0

    I think you're best of using NATTING as Bob mentioned, however I think you can also use masquerading; you don't need to masquerade an entire net, but you can also masquerade a single host to an additional address. If you do use this then make sure this masq. rule is higher on the list than the masq. rule for the entire subnet otherwise it will already be valid on the subnet masq. rule.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Thanks for the replies. I'm not doing this of course, I'm just trying to understand how the UTM works with natting.

    So if I have a Lan masqueraded as above and I then DNAT to a server on it using an additional address, what ip will the server reply on? The masqueraded ip or the dnat'd ip?

  • 0 in reply to Louis-M

    It will usually reply on the masq. IP. 

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Thanks for the replies guys.

    To clarify:

    I have a WAN 1.1.1.1. It has an additional 5 ips 1.1.1.2 - 1.1.1.6

    I have 2 web servers on the lan:

    Web 1 = 192.168.1.1
    Web 2 = 192.168.1.2

    I have multiple clients on the same subnet that the above web servers are on (not ideal I know)
    These clients 192.168.1.100 - 200 masquerade from lan to wan on 1.1.1.1 to reach the internet and browse.

    I now want the webservers to be exposed to the internet and I want them to come from the address they are exposed on eg 1.1.1.2 and 1.1.1.3 rather than 1.1.1.1 (the masq ip)

    So, I create 2x DNAT:

    1.1.1.2 http >>> 192.168.1.1 (web 1)
    1.1.1.3 http >>> 192.168.1.2 (web 2)

    Now bear in mind that anything on 192.168.1.0/24 masqs to 1.1.1.1  (the web servers are on this subnet as well as the clients)

    It has been stated above that the webservers will reply on 1.1.1.1 (the masq ip) rather than the DNAT'd ip's.

    So, how do you get the webservers to reply on the dnat'd ip's rather than the masqueraded ip?

  • +1 in reply to Louis-M

    I believe you can make additional MASQ rules (put before the general 192.168.1.0/24!!!

     

    These should look like:

    192.168.1.1/32 MASQ to 1.1.1.2
    192.168.1.2/32 MASQ to 1.1.1.3
    192.168.1.0/24 MASQ to 1.1.1.1

    If in this order, both servers will first find the /32 masq rule and I believe this will apply, other hosts will not apply on /32 and only apply on /24 MASQ.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    If I understand Louis' question correctly, the connection tracker will send the response from the public IP in the DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to apijnappels

    If I understand Louis' question correctly, the connection tracker will send the response from the public IP in the DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?