Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 21 replies
  • Subscribers 5 subscribers
  • Views 58089 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT pool

selva

My first post here -- apologies if this has been dealt with in the past.

I have seen some related discussion on this in the forum but does not seem to answer what I am trying to do:

On an SG appliance running UTM 9.4, I want to use 2 of our external IPs for masquerade (out of a block of /29 that we have).

As an example, to NAT 192.168.1.0/24 to a pool of 2 IPs xxx.149.196.157 and .158,  in cisco IOS I would do

access-list 1 permit 192.168.1.0 0.0.0.255  # define list 1 as the internal address block of /24

ip nat pool pool1 184.149.196.157 184.149.196.158 netmask 255.255.255.248  #  define pool1 as the 2 address pool for NAT

ip nat inside source list 1 pool nat-pool overload   # do balanced NAT-ing using the two publlc addresses in pool1

How to achieve this in UTM 9?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    I think what you need is uplink balancing but, that is not possible through a single ISP and the additional address. This is a potential feature request you can raise on Sophos Ideas.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • +1 in reply to sachingurung

    We do not have multiple uplinks so not trying any uplink balancing. Only want to have SNAT with multiple source addresses as below

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source x.y.z.1-x.y.z.3

     It seems UTM web interface cannot handle this. I did submit a feature request.

  • 0 in reply to selva

    Hi, selva, and welcome to the UTM Community!

    May I ask why you want to do this - what benefit you hope to achieve?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob.

    Thanks.

    Well, that's how a client's cisco router was set up (with a nat pool of 4 public IPs) and I wanted to recreate the original config as closely as possible. Having multiple IPs could help avoid ephemeral port exhaustion, but is unlikely in the setup I was working on. That said, iptables can handle it, so no real reason not to allow in UTM's UI...

    Selva

  • 0 in reply to selva

    What is the cisco router suppose to do?  It seems to me like cisco routers are pushing stateless traffic to a stateful firewall.  Which has been a nightmare in my case.

Reply Children
No Data
Cookie Information Banner