Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 3115 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ network, seperate interface, cross contamination??

JohnKenny1

I am trying to setup a 2nd LAN on my UTM,  Its for someones offsite location.  It uses a seperate internal NIC and I want to give it a specific static public IP.

Ive followed multiple articles about setting up DMZ's but im still getting cross contamination of the traffic.

Is there any decent Articles that explains the whole process?

Ive tried using DNAT & SNAT, Full NAT? Auto FW rules on and off, creating FW rules to block traffic between the 2 networks......

I can still ping the other network on both sides even with all ICMP options disabled.

I do not have the DMZ network added to Web filtering or IPS.

Do i also need to setup a Multipath rule?

Thanks

 

JK



This thread was automatically locked due to age.
  • 0

    Hi JK,

    I am unable to understand your requirement. What is that you are trying to achieve? Are you looking for a setup where both the LAN should be separate and should not allow communication between the two?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    OK, So we have a network using Sophos UTM.  But we just added a friends server for there offsite server.  Its got its own NIC and is on a different subnet.

    Basically I want all traffic from a public IP to go to there router, but i dont want traffic to cross between there network and ours which its doing now both ways.

    JK

  • 0 in reply to JohnKenny1

    What is the Best NAT type to use for my situation? Is there anyway to setup the 2nd internal NIC which there drayteks WAN port connects to, to work as if its directly connected to the WAN ip ie no NATing?

  • 0 in reply to JohnKenny1

    This is still confusing, John - why would you want to connect the Draytek's WAN port to an internal NIC?

    If I understand your situation, I would do the following:

    • Put an Additional Address on the External interface named, e.g., "Client"
    • Add a DMZ Interface for the client's server
    • Make a Host definition for the client's server named, e.g., "Client's Server" - be careful to obey #3 in Rulz.
    • Assuming that the client's traffic will all come from a limited number of IPs, make a Host/Network definition for that named, e.g., "Client's IPs"
    • Make a NAT rule: 'DNAT : Client's IPs -> Any -> External [Client] Address : to Client's Server : Automatic firewall rules'
    • You will want a masq rule like 'DMZ (Network) -> External [Client]' and a firewall rule like 'Client's Server -> Any -> Internet : Allow'
    • Be sure to change your current firewall rules to use "Internet" instead of the "Any" network object - this prevents "Internal (Network)" from reaching the client's server.

    Is that what you're trying to accomplish?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML