Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 21 replies
  • Subscribers 5 subscribers
  • Views 57933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT pool

selva

My first post here -- apologies if this has been dealt with in the past.

I have seen some related discussion on this in the forum but does not seem to answer what I am trying to do:

On an SG appliance running UTM 9.4, I want to use 2 of our external IPs for masquerade (out of a block of /29 that we have).

As an example, to NAT 192.168.1.0/24 to a pool of 2 IPs xxx.149.196.157 and .158,  in cisco IOS I would do

access-list 1 permit 192.168.1.0 0.0.0.255  # define list 1 as the internal address block of /24

ip nat pool pool1 184.149.196.157 184.149.196.158 netmask 255.255.255.248  #  define pool1 as the 2 address pool for NAT

ip nat inside source list 1 pool nat-pool overload   # do balanced NAT-ing using the two publlc addresses in pool1

How to achieve this in UTM 9?

Thanks



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    My experience with sophos support has been pathetic, so I'll pass that.

    This is my first and very likely last sophos appliance for clients[*], so either I'll do some such hackery if/when it hurts. I wish I could wear my sysadmin hat without fear of losing warranty. I'm surprised that UTM has no officially sanctioned CLI.

    Thanks for taking time to comment.

    [*] The free UTM license is great for home use though...

  • 0 in reply to selva

    More thank like off topic but somethings people say the right thing and my brain goes "ding1" then proceed to fix something.

  • 0 in reply to B.R.O.

    I saw an 8-port VLAN switch on NewEgg for $65 that would do the trick - not layer 3 that I know of.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I have a spare HP Procurve 1810G-24 switch.  If I have a Cisco Router connected to it, would I have to tag all the vlans in the switch for DMZ zone?

  • 0 in reply to B.R.O.

    UTM can work with VLANs, I think the Procurve can connect to a device on an untagged port, tag the traffic and send in out on a VLAN to the DMZ port of the UTM.  Is that the question you were asking?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The Router would connect to the Procurve with a IP address of the DMZ Network Interface with 2 vpn tunnels open to keep the datacenter lan connected if primary router fails.

    I need to do a detailed network diagram but its hard to break every thing to be simple with asymmetric routing going all over the place.

    The datacenter people don't know where everything is going either, they say everything is point to the firewall 10.141.12.1

     

    If I use the Procurve in a DMA it would be between the R2 router and the Firewall.

     

  • 0 in reply to B.R.O.

    Let me say this in different words to see if I'm understanding correctly...

    In the location on the left, there's a bunch of wireless LANs connected to "R3 Router" and "R-1 Router" via ???.

    In the location on the right, "R1 Router" and "R2 Router" connect to the Sophos. Do you want to replace those two routers with the Sophos?  What is the purpose of the Sophos if it sits in the DMZ?

    The subnets on the left and the subnets on the right communicate with each other via site-to-site VPNs.  What are the endpoints (locations and IPs) of each tunnel?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    sorry for more confusion there, I was thinking wide area lan.  Let me look at the diagram and break it down some more maybe...

  • 0 in reply to B.R.O.

    Does this make sense to visual to the diagram above?

    The firewall is 10.141.12.1 with 6 ports configured

     

    eth0  and eth3 are LAN to LAN

    These consist of my default lan plus 9 vlans

    eth1 is dmz for a clinic in our building to get out to the internet

    the rest of the subnets behind the firewall are vpn connections

    For the firewall to connect to the 4 of the (wlans) networks on it uses 10.141.12.86 as the gateway.

    -----------------------------------------------------------

    now for router activity connected to current firewall that I want to duplicate on the UTM

    Medvpn Router (10.141.12.82) connects to eth4

    This router is set up to send all traffic to the IP gateway of the firewall at the moment so as long as the router can reach the Public IP of the firewall and from there reach the internet it should work.

    R2 Router connects to eth5 (10.141.12.84)

    This router reaches the Public IP of the firewall to goe to another Router in PTC, which give redundancy to our site in case the primary goes down.  (the primary is the internal router with mpls connection)

  • 0 in reply to B.R.O.

    Sorry I just noticed that I hijacked this thread.

    Let me finish it quickly regarding my questions on the NAT Pool since I am not only talking about the NAT Pool but where to connect 2 routers that forward to a virtual router doing one essential thing, being the gateway to route 3 networks not all 17 subnets from the diagram attached.

    They are learning 17 subnets from the bgp neighbor.

    When we do a show ip nat translation, almost all traffic goes to X.X.1.x, not all, but almost.  Also have some traffic going to X.X.17.x and X.X.40.0/24

    X.X.1.x > gateway 10.141.12.86

    X.X.17.x > gateway 10.141.12.86

    X.X.40.0 > gateway 10.141.12.86

    Now based on my experience, The firewall will now process NATs 99% of the time pending there is no asymmetric routing and ports being opened and closed by a program. 

Unfiltered HTML