Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 8778 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can not config Source NAT to Server Load Balancing Server (internal) in Sophos correct .

Phuoc Hau Pham

I want to build a systems :

- 2 Server Applications, 2 Server Database  in a same vlan 2 (subnet 10.1.1.0/24) .

- Appcations access to database by Virtual IP Database.

- End user in vlan 3 (subnet 10.1.2.0/24) and can access applications by use Virtual IP Applications

I use route mode between Vlan 2 & Vlan 3 and permit any any .

In Server 03, I can ping and access Applications (use http service to test) with Virtual IP 10.1.1.112

In Server 03, I can ping Database with Virtual IP 10.1.1.145

This is my problems : 

I can ping direct from Server1 to Server2,Server3,Server4,Server5 but I can not ping from Server 1 or Server 2 to Virtual IP database (10.1.1.145).

I can not ping or access pplications (use http service to test) from Server 4 or Server 5 to Virtual IP Applications (10.1.1.112).

What should I do to fix this problems ? You can see more detail with the attachments .

 

I find a topic talk about that use SNAT but I can not config complete .

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/42272/internal-load-balancing

Please help me config it .Internet loadbalancing internal.docx



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Phuoc, and welcome to the UTM Community!

    Pinging is regulated on the 'ICMP' tab of Firewall.  If you can't resolve your problem there. try #1 in Rulz.  Any luck with these suggestions?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I try to ping and access services  to virtual IP Server from network Server but I can not .

    I can ping and access services to virtual IP Server from network User

    You can see more detail with the attachment . Can you help me check where I am wrong ?

     

    8078.22122016.pdf

  • 0 in reply to Phuoc Hau Pham

    If you want ping requests to transit he UTM, you must select 'Gateway forwards pings.'

    Also, I don't understand "virtual IP address" in this context - what do you mean specifically?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

     

    virtual IP address=Virtual server in load balancing rule.

    I this case, I have 2 server app: IP SV1=10.1.1.101, IP SV1=10.1.1.102, Virtual Server = 10.1.1.112 (I create a host name VSV12 have IP 10.1.1.112).

    All Server in a network server 10.1.1.0/24. All User in a network Users 10.1.2.0/24

    All Users can access to Virtual Server App(10.1.1.112) but Others Servers in network server can not access to Virtual Server App(10.1.1.112).

     

  • 0 in reply to Phuoc Hau Pham

    When 10.1.1.99 sends a packet to 10.1.1.112, it will be load balanced to 10.1.1.101 or 10.1.1.102.  The response packet will be sent directly back to 10.1.1.99 because it is in 10.1.1.0/24.  10.1.1.99 will drop the packet because it was expecting the response to come from 10.1.1.112.

    If these are web servers, you could achieve what you want using Webserver Protection, but the easiest is probably to have servers in 10.1.1.0/24 send directly to other servers instead of going through the load balancer.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    Webserver Protection is a good feature for load balancing for only web services . But I want load balancing other services not only for web services . How can I do that ?

  • 0 in reply to Phuoc Hau Pham

    You cannot use Load Balancing unless the Requesting and Responding devices are in disjoint subnets.  I think you might be able to use a trick with NAT though:

    SNAT : {server DMZ subnet} -> Any -> {server DMZ subnet} : from {server DMZ} (Address)

    Did that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    It really work as you guide . 

    I try to do other way not use Virtual Server that is not IP address in a interface (such as DMZ address or additional address) . In my way, I create a virtual Server host and used in Load Balancing NAT rule with IP is not in any interfaces of firewall and I didn't work . After that I try to create a SNAT rule but I can not find the way to success . Do you know how to config with that way ?

    Thank you so much for your helps.

  • 0 in reply to Phuoc Hau Pham

    Using your example above, did you try the following?

    SNAT : {10.1.1.0/24} -> Any -> {10.1.1.0/24} : from {10.1.1.112}

    Did that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    It didn't work but I change a little {10.1.1.0/24} change to a host 10.1.1.101/32.

    It can work now . Thank you so much for your helps .

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML