Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 17984 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading NAT?

Louis-M

We have a block of 16 ipv4 public addresses.

Our network has various LANS and a couple of DMZ's.

Our main DMZ has 4 servers sitting within it, each with it's own public ip natting to it.

How do you set up masquerading for this? Is it simply:

DMZ Server A > WAN (public address A)

DMZ Server B > WAN (public address B)

DMZ Server C > WAN (public address C)  etc etc



This thread was automatically locked due to age.
  • 0

    HI Louis,

    As per your query you would need to enable Proxy ARP on your appliance .  Kindly follow the steps to configure the same .

    Enable proxy arp on two interfaces with the same network mask and addresses

    for example: external interface (eth4) is 157.161.161.240/27
    and the host on which you want to connect is on the DMZ interface (eth5) with the ip 157.161.161.243
    in your case proxy arp has to be enabled on sysctl like this:

    sysctl -w net.ipv4.conf.eth5.proxy_arp=1
    sysctl -w net.ipv4.conf.eth4.proxy_arp=1

    Taken from Article . 115287

    https://community.sophos.com/kb/en-us/115287

    Thanks and regards 

    Aditya Patel 

    Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    I'm not sure that is what I'm after. I'll try and explain a little bit more.

    WAN (Primary) interface IP address 1.1.1.1/28

    WAN (additional addresses) 1.1.1.2 - 16

    DMZ interface address 192.168.1.1

    DMZ SERVER A (192.168.1.2)   >>> NATS to 1.1.1.2
    DMZ SERVER B (192.168.1.3)   >>> NATS to 1.1.1.3
    DMZ SERVER C (192.168.1.4)   >>> NATS to 1.1.1.4

    Do I simply put a masquerading rule in for each server eg:

    SERVER A masquerades to WAN additional address 1.1.1.2
    SERVER B masquerades to WAN additional address 1.1.1.3
    SERVER C masquerades to WAN additional address 1.1.1.4

  • 0 in reply to Louis-M

    Masquerading is not what you want here, Louis.  Just use an SNAT in each case.  A masq is really meant to be used for complete subnets.  I don't think there's any sequence you can count on with masq rules like you can with the rules on the 'NAT' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    thank for quick reply. Just to clarify:

    let's say you have 4 pc's & 1 server on a LAN (we'll call it internal)

    The wan has a block of 8 ip's with 1.1.1.1 as it's default (1.1.1.2 -5  as it's additional ip's)

    With a masqurading rule from LAN > WAN, all pc's would appear to come from 1.1.1.1

    If we add a server into the Lan and then DNAT into that server  so that 1.1.1.2 goes to the internal server, what ip address will the server reply on? 1.1.1.1  (the maqueraded nat for the internal lan) or 1.1.1.2?

    Or if you DNAT into a server eg 1.1.1.2 > 192.168.1.2, should you SNAT 192.168.1.2 > 1.1.1.2 as well?

  • 0

    I think you're best of using NATTING as Bob mentioned, however I think you can also use masquerading; you don't need to masquerade an entire net, but you can also masquerade a single host to an additional address. If you do use this then make sure this masq. rule is higher on the list than the masq. rule for the entire subnet otherwise it will already be valid on the subnet masq. rule.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Thanks for the replies. I'm not doing this of course, I'm just trying to understand how the UTM works with natting.

    So if I have a Lan masqueraded as above and I then DNAT to a server on it using an additional address, what ip will the server reply on? The masqueraded ip or the dnat'd ip?

  • 0 in reply to Louis-M

    It will usually reply on the masq. IP. 

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Thanks for the replies guys.

    To clarify:

    I have a WAN 1.1.1.1. It has an additional 5 ips 1.1.1.2 - 1.1.1.6

    I have 2 web servers on the lan:

    Web 1 = 192.168.1.1
    Web 2 = 192.168.1.2

    I have multiple clients on the same subnet that the above web servers are on (not ideal I know)
    These clients 192.168.1.100 - 200 masquerade from lan to wan on 1.1.1.1 to reach the internet and browse.

    I now want the webservers to be exposed to the internet and I want them to come from the address they are exposed on eg 1.1.1.2 and 1.1.1.3 rather than 1.1.1.1 (the masq ip)

    So, I create 2x DNAT:

    1.1.1.2 http >>> 192.168.1.1 (web 1)
    1.1.1.3 http >>> 192.168.1.2 (web 2)

    Now bear in mind that anything on 192.168.1.0/24 masqs to 1.1.1.1  (the web servers are on this subnet as well as the clients)

    It has been stated above that the webservers will reply on 1.1.1.1 (the masq ip) rather than the DNAT'd ip's.

    So, how do you get the webservers to reply on the dnat'd ip's rather than the masqueraded ip?

  • +1 in reply to Louis-M

    I believe you can make additional MASQ rules (put before the general 192.168.1.0/24!!!

     

    These should look like:

    192.168.1.1/32 MASQ to 1.1.1.2
    192.168.1.2/32 MASQ to 1.1.1.3
    192.168.1.0/24 MASQ to 1.1.1.1

    If in this order, both servers will first find the /32 masq rule and I believe this will apply, other hosts will not apply on /32 and only apply on /24 MASQ.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    If I understand Louis' question correctly, the connection tracker will send the response from the public IP in the DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?