Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 21 replies
  • Subscribers 5 subscribers
  • Views 57931 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT pool

selva

My first post here -- apologies if this has been dealt with in the past.

I have seen some related discussion on this in the forum but does not seem to answer what I am trying to do:

On an SG appliance running UTM 9.4, I want to use 2 of our external IPs for masquerade (out of a block of /29 that we have).

As an example, to NAT 192.168.1.0/24 to a pool of 2 IPs xxx.149.196.157 and .158,  in cisco IOS I would do

access-list 1 permit 192.168.1.0 0.0.0.255  # define list 1 as the internal address block of /24

ip nat pool pool1 184.149.196.157 184.149.196.158 netmask 255.255.255.248  #  define pool1 as the 2 address pool for NAT

ip nat inside source list 1 pool nat-pool overload   # do balanced NAT-ing using the two publlc addresses in pool1

How to achieve this in UTM 9?

Thanks



This thread was automatically locked due to age.
  • 0

    Hey S.

    I think you might find this useful. It wouldn't be balanced, though. Balancing is only achieved by multipath rules, and those only allow interfaces, not additional addresses.

    Regards - Giovani

  • 0 in reply to giomoda

    Thanks for the link. Sorry for my confused use of the word "balancing". We only have one uplink (ISP) so no balancing needed.

    What I was trying is to use more than one external IP for "masquerading". What could be called "dynamic NAT with overload" which translates many internal addresses to a few external addresses with PAT done only if a dynamic 1:1 mapping is is not possible.

    In iptables terms I want an SNAT with multiple --to-source addresses, but it seems UTM's UI does not allow it.

  • 0 in reply to selva

    AFAIK it won't allow multiple addresses on a SNAT rule, so I guess it's not possible. Maybe someone else might know a way. 

    Regards - Giovani

  • 0

    I think what you need is uplink balancing but, that is not possible through a single ISP and the additional address. This is a potential feature request you can raise on Sophos Ideas.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • +1 in reply to sachingurung

    We do not have multiple uplinks so not trying any uplink balancing. Only want to have SNAT with multiple source addresses as below

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source x.y.z.1-x.y.z.3

     It seems UTM web interface cannot handle this. I did submit a feature request.

  • 0 in reply to selva

    Hi, selva, and welcome to the UTM Community!

    May I ask why you want to do this - what benefit you hope to achieve?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob.

    Thanks.

    Well, that's how a client's cisco router was set up (with a nat pool of 4 public IPs) and I wanted to recreate the original config as closely as possible. Having multiple IPs could help avoid ephemeral port exhaustion, but is unlikely in the setup I was working on. That said, iptables can handle it, so no real reason not to allow in UTM's UI...

    Selva

  • 0 in reply to selva

    What is the cisco router suppose to do?  It seems to me like cisco routers are pushing stateless traffic to a stateful firewall.  Which has been a nightmare in my case.

  • 0 in reply to selva

    It's not a Cisco and doing iptables at the command line could void the warranty.  Open a ticket with Sophos Support and see if they'll let you make a change at the command line.  There are tricks that will let you automate something after a reboot is complete.

    An alternative would be an inexpensive switch in front of the External NIC.  You then could put 4 IPs on four External NICs, use a different masq rule for each and then use Uplink Balancing to distribute the traffic over the four Interfaces.  If the switch can do VLANs, you can accomplish the same thing with a single NIC.  Will that skin your cat?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob does that have to be a layer 3 switch?

Unfiltered HTML