Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 8807 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can not config Source NAT to Server Load Balancing Server (internal) in Sophos correct .

Phuoc Hau Pham

I want to build a systems :

- 2 Server Applications, 2 Server Database  in a same vlan 2 (subnet 10.1.1.0/24) .

- Appcations access to database by Virtual IP Database.

- End user in vlan 3 (subnet 10.1.2.0/24) and can access applications by use Virtual IP Applications

I use route mode between Vlan 2 & Vlan 3 and permit any any .

In Server 03, I can ping and access Applications (use http service to test) with Virtual IP 10.1.1.112

In Server 03, I can ping Database with Virtual IP 10.1.1.145

This is my problems : 

I can ping direct from Server1 to Server2,Server3,Server4,Server5 but I can not ping from Server 1 or Server 2 to Virtual IP database (10.1.1.145).

I can not ping or access pplications (use http service to test) from Server 4 or Server 5 to Virtual IP Applications (10.1.1.112).

What should I do to fix this problems ? You can see more detail with the attachments .

 

I find a topic talk about that use SNAT but I can not config complete .

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/42272/internal-load-balancing

Please help me config it .Internet loadbalancing internal.docx



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to BAlfson

    Hi BAlfson,

     

    virtual IP address=Virtual server in load balancing rule.

    I this case, I have 2 server app: IP SV1=10.1.1.101, IP SV1=10.1.1.102, Virtual Server = 10.1.1.112 (I create a host name VSV12 have IP 10.1.1.112).

    All Server in a network server 10.1.1.0/24. All User in a network Users 10.1.2.0/24

    All Users can access to Virtual Server App(10.1.1.112) but Others Servers in network server can not access to Virtual Server App(10.1.1.112).

     

Children
  • 0 in reply to Phuoc Hau Pham

    When 10.1.1.99 sends a packet to 10.1.1.112, it will be load balanced to 10.1.1.101 or 10.1.1.102.  The response packet will be sent directly back to 10.1.1.99 because it is in 10.1.1.0/24.  10.1.1.99 will drop the packet because it was expecting the response to come from 10.1.1.112.

    If these are web servers, you could achieve what you want using Webserver Protection, but the easiest is probably to have servers in 10.1.1.0/24 send directly to other servers instead of going through the load balancer.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi BAlfson,

    Webserver Protection is a good feature for load balancing for only web services . But I want load balancing other services not only for web services . How can I do that ?

  • 0 in reply to Phuoc Hau Pham

    You cannot use Load Balancing unless the Requesting and Responding devices are in disjoint subnets.  I think you might be able to use a trick with NAT though:

    SNAT : {server DMZ subnet} -> Any -> {server DMZ subnet} : from {server DMZ} (Address)

    Did that work?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi BAlfson,

    It really work as you guide . 

    I try to do other way not use Virtual Server that is not IP address in a interface (such as DMZ address or additional address) . In my way, I create a virtual Server host and used in Load Balancing NAT rule with IP is not in any interfaces of firewall and I didn't work . After that I try to create a SNAT rule but I can not find the way to success . Do you know how to config with that way ?

    Thank you so much for your helps.

  • 0 in reply to Phuoc Hau Pham

    Using your example above, did you try the following?

    SNAT : {10.1.1.0/24} -> Any -> {10.1.1.0/24} : from {10.1.1.112}

    Did that work?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi BAlfson,

    It didn't work but I change a little {10.1.1.0/24} change to a host 10.1.1.101/32.

    It can work now . Thank you so much for your helps .