1:1 NAT & WAF

and referring to the RULZ, it works like so:

In general, a packet arriving at an interface is handled only by one of the following, in order (see attachment below):

1. the connection tracker (conntrack) first
2. then Country Blocking
3. then DNATs
4. then Intrusion Prevention
5. then VPNs
6. then Proxies (except the SMTP Proxy in Transparent mode which captures traffic forwarded by a DNAT)
7. then manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic
8. and, finally, Application Control.

So in the above, I'm not quite sure where a 1:1 NAT would sit?
Now with a DNAT (in the above order), it's quite simple. Looking back to the scenario (in the first post), you wouldn't put a DNAT for HTTP/S and you would for the rest eg DNAT for FTP etc
So HTTP/S traffic would get to #6 (the proxies) whereas FTP would bow out at #3 (the DNAT's)

I'm assuming the 1:1 NAT would come in around the DNAT area so in the above sceneario, a 1:1 NAT could probably not be used in conjunction with WAF as the HTTP/S traffic would never hit the WAF?

The usage of a 1:1 NAT is not to map one single IP to another single IP, that's part of DNAT rules.

1:1NAT is to be used if networks connected (VPN) should be reachable over other IPs that they really have. E.g. you have a partner company B that uses 192.168.0.0/24 as internal network but you already have another VPN partner A that uses this network. In that case you have to use another network for Partner B, let's say 10.0.0.0/24 and with 1:1NAT you have translate this traffic outbound and inbound, so you normally need always 2 1:1NAT rules.

So to the original question that would mean DNAT rules for every service except http/s. What happens if you use only one 'any service' DNAT is that the reverse proxy wouldn't be hit for http/s traffic. In that case one NONAT rule for http/s above the any rule should work, too.

Hi Kevin,

thanks for the reply. My understanding of it is slightly different although I'm not saying I'm correct by any means.

Coming from ASA's, I always thought Sophos compared to Cisco like so:

Static Nat = 1:1 NAT
DNAT = PAT (Port address translation)

Masquerading = dynamic NAT or overloading

Cisco says that you can map an external public IP to an internal private IP although they do state that it's not as secure as using PAT due to a static NAT opening up all ports compared to using PAT to limit the port translation.

Shorewall have an article here:
http://www.shorewall.net/NAT.htm

Cisco ASA (3rd party setup) article here:
https://www.petenetlive.com/KB/Article/0000691

And we have the Sophos instructions here for 1:1 NAT. I do wish they would include some scenario's where you would use it rather than just explain how to do it.
https://community.sophos.com/kb/en-us/117421

Hi Kevin,

thanks for the reply. My understanding of it is slightly different although I'm not saying I'm correct by any means.

Coming from ASA's, I always thought Sophos compared to Cisco like so:

Static Nat = 1:1 NAT
DNAT = PAT (Port address translation)

Masquerading = dynamic NAT or overloading

Cisco says that you can map an external public IP to an internal private IP although they do state that it's not as secure as using PAT due to a static NAT opening up all ports compared to using PAT to limit the port translation.

Shorewall have an article here:
http://www.shorewall.net/NAT.htm

Cisco ASA (3rd party setup) article here:
https://www.petenetlive.com/KB/Article/0000691

And we have the Sophos instructions here for 1:1 NAT. I do wish they would include some scenario's where you would use it rather than just explain how to do it.
https://community.sophos.com/kb/en-us/117421

As Kevin says, 1-to-1 NAT in WebAdmin is a source or destination NAT mapping one subnet (like 192.168.1.0/24) to another (like 172.28.1.0/24).  It's confusing to folks with a lot of Cisco experience.

As to your initial question, I would create a Services Group and use that with a single DNAT rule.  The end result is likely the same lines of code created by the Configuration Daemon.

Cheers - Bob

Hi Bob,

yes it does say that in the drop down description as well to be fair. So what would be the exact Sophos equivalent of a Cisco static NAT?

A DNAT (if a port was specified) would be the equivalent of a Cisco PAT.
A DNAT (with no port specified) would be ??

A "Cisco static" links the two interfaces you specify, meaning inbound and outbound traffic using the same IP/interface. A static entry with a source and a destination service does automatically the PAT thing in only one config line.

There is no "one liner" available on UTMs, to achieve this you will need a DNAT rule for the inbound and a SNAT rule for the outbound traffic. You can use the "any service" in DNAT/SNAT, so it is similar to Cisco, but in two rules / config lines. You CAN change a port in a DNAT/SNAT rule but you don't have to.

Sometimes it isn't quite important that outbound traffic leaves the same interface, in those cases you can leave the SNAT rule away. Outbound traffic will then use the interface, that has "default gateway" ticked (like a "nat dynamic" entry on Cisco). For this traffic a masquerading rule is enough (mapping source networks to uplink interface(s)).

A PNAT (I guess you mean sth. like "nat (inside,outside) source static LAN1 NAT_LAN1 destination static LAN2 LAN2") would be in this case a 1:1 NAT with LAN1 as source, LAN2 as dest. and NAT_LAN1 as source translation, additional a second rule, LAN2 source, NAT_LAN1 dest, and destination translation "LAN1".

One last thing to mention is that you can't use the predefined "LAN (network)" (or whatever interface the traffic may leave), you have to create an additional network object containing the local network for the 1:1 thing to work!

KBLAN is my internal network, but it isn't selectable as the "green", predefined object.