Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 21 replies
  • Subscribers 5 subscribers
  • Views 57952 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT pool

selva

My first post here -- apologies if this has been dealt with in the past.

I have seen some related discussion on this in the forum but does not seem to answer what I am trying to do:

On an SG appliance running UTM 9.4, I want to use 2 of our external IPs for masquerade (out of a block of /29 that we have).

As an example, to NAT 192.168.1.0/24 to a pool of 2 IPs xxx.149.196.157 and .158,  in cisco IOS I would do

access-list 1 permit 192.168.1.0 0.0.0.255  # define list 1 as the internal address block of /24

ip nat pool pool1 184.149.196.157 184.149.196.158 netmask 255.255.255.248  #  define pool1 as the 2 address pool for NAT

ip nat inside source list 1 pool nat-pool overload   # do balanced NAT-ing using the two publlc addresses in pool1

How to achieve this in UTM 9?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    I think what you need is uplink balancing but, that is not possible through a single ISP and the additional address. This is a potential feature request you can raise on Sophos Ideas.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • +1 in reply to sachingurung

    We do not have multiple uplinks so not trying any uplink balancing. Only want to have SNAT with multiple source addresses as below

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source x.y.z.1-x.y.z.3

     It seems UTM web interface cannot handle this. I did submit a feature request.

  • 0 in reply to selva

    Hi, selva, and welcome to the UTM Community!

    May I ask why you want to do this - what benefit you hope to achieve?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob.

    Thanks.

    Well, that's how a client's cisco router was set up (with a nat pool of 4 public IPs) and I wanted to recreate the original config as closely as possible. Having multiple IPs could help avoid ephemeral port exhaustion, but is unlikely in the setup I was working on. That said, iptables can handle it, so no real reason not to allow in UTM's UI...

    Selva

  • 0 in reply to selva

    What is the cisco router suppose to do?  It seems to me like cisco routers are pushing stateless traffic to a stateful firewall.  Which has been a nightmare in my case.

  • 0 in reply to selva

    It's not a Cisco and doing iptables at the command line could void the warranty.  Open a ticket with Sophos Support and see if they'll let you make a change at the command line.  There are tricks that will let you automate something after a reboot is complete.

    An alternative would be an inexpensive switch in front of the External NIC.  You then could put 4 IPs on four External NICs, use a different masq rule for each and then use Uplink Balancing to distribute the traffic over the four Interfaces.  If the switch can do VLANs, you can accomplish the same thing with a single NIC.  Will that skin your cat?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob does that have to be a layer 3 switch?

  • 0 in reply to BAlfson

    My experience with sophos support has been pathetic, so I'll pass that.

    This is my first and very likely last sophos appliance for clients[*], so either I'll do some such hackery if/when it hurts. I wish I could wear my sysadmin hat without fear of losing warranty. I'm surprised that UTM has no officially sanctioned CLI.

    Thanks for taking time to comment.

    [*] The free UTM license is great for home use though...

Reply
  • 0 in reply to BAlfson

    My experience with sophos support has been pathetic, so I'll pass that.

    This is my first and very likely last sophos appliance for clients[*], so either I'll do some such hackery if/when it hurts. I wish I could wear my sysadmin hat without fear of losing warranty. I'm surprised that UTM has no officially sanctioned CLI.

    Thanks for taking time to comment.

    [*] The free UTM license is great for home use though...

Children
No Data
Unfiltered HTML