Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 8483 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can NAT translate one external IP into another?

KevinMeininger

We have a phone server on the internal network that is configured to accept inbound connections on a particular external IP. Apparently this server is restricted to only accept connections from 1 external IP at any given time.

As we are migrating to a different external network block, I would like to allow this server to receive inbound connections from 2 different external addresses simultaneously. However, I would like the UTM to use some form of NAT trickery, if possible, so that the internal server will only ever see 1 external IP. In this way, we can seamlessly migrate users to the new external IP and ultimately disable the legacy external IP.

In the current configuration with legacy addressing, we have DNAT and SNAT setup like this:

DNAT
For traffic from: (AnyInternet)
Using service: Any
Going to: External_legacyIP
Change the destination to: Internal_PhoneSystem

SNAT
For traffic from: Internal_PhoneSystem
Using service: Any
Going to: (AnyInternet)
Change the source to: External_legacyIP

 

Will it work if I insert a Full NAT rule above the DNAT like this:

Full NAT
For traffic from: (AnyInternet)
Using service: Any
Going to: External_newIP
Change the destination to: Internal_PhoneSystem
Change the source to: External_legacyIP

 

Otherwise, is there another way to accomplish this?

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Hi Kevin,

    The full NAT example should do it. But you might want restrict the ports, there's no need to expose more than necessary

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • 0 in reply to KennethHolmqvist

    Thanks Kenneth! I will check on the ports in use and try to constrain that further as well.

    Regarding the SNAT, do you know if it will "just work" without a need to update the legacy configuration?

     

    For example, new traffic will flow in on the External_newIP address, be Full NAT'd to have a source of External_legacyIP, and then flow back out via the SNAT which currently assigns External_legacyIP.

    My hope is that all this NAT'ing is just cosmetic, and that the connection tracker keeps up with the actual path of the packets. In that case, seems like it may not matter what the SNAT address is during this migration period. Once finalized, I would update the SNAT rule to assign External_newIP as well.

    Thanks

Reply
  • 0 in reply to KennethHolmqvist

    Thanks Kenneth! I will check on the ports in use and try to constrain that further as well.

    Regarding the SNAT, do you know if it will "just work" without a need to update the legacy configuration?

     

    For example, new traffic will flow in on the External_newIP address, be Full NAT'd to have a source of External_legacyIP, and then flow back out via the SNAT which currently assigns External_legacyIP.

    My hope is that all this NAT'ing is just cosmetic, and that the connection tracker keeps up with the actual path of the packets. In that case, seems like it may not matter what the SNAT address is during this migration period. Once finalized, I would update the SNAT rule to assign External_newIP as well.

    Thanks

Children
No Data
Unfiltered HTML