Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 7933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Natting & web protection

Louis-M

Best practice question:

If I have a block of 16 ip's and use them for various servers. Some are accessed via DNAT (the non standard ports) and some are accessed via WAF (the web based apps etc)

We have web filtering going on too and masquerading, like so:

10.1.100.0/24 masquerades to x.x.x.100 (default wan ip)

10.1.100.200 (SERVER A) DNAT's from x.x.x.101

The above server will masquerade to x.x.x.100

So, is it good practive to put an SNAT in here so that anything going out from SERVER A appears to come from x.x.x.101 rather than x.x.x.100 (masqueraded ip)



This thread was automatically locked due to age.
  • 0

    I'm confused Louis...

    Any traffic processed by Web Filtering will go to the WAN port with the Primary IP of the Interface.  10.1.100.200 will no longer be the source IP of the packet, so no SNAT rule will apply to that traffic as it will to unproxied traffic from 10.1.100.200.

    On 02-June-2017, How to change the outgoing interface for Web Filtering appeared, so it is now possible to assign different public IPs to different Profiles.  In this way, you could create a Web Filtering Profile for 10.1.100.200 and assign x.x.x.101 to that Profile.

    I do like the idea of having all traffic coming and going using the same IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sorry Bob,

    let me try and clarify. Lets take a non standard port say tcp 20000

    So, 20000 tcp DNAT's to 10.1.100.101 (public ip 1.1.1.2)

    10.1.100.0/24 masquerades to (1.1.1.1) and web filtering goes to the same (1.1.1.1)

     

    Because the non standard port is DNATing  from 1.1.1.2, without a SNAT, traffic will appear to come from 1.1.1.1
    Should an SNAT be put in to make the traffic come from 1.1.1.2 or should we just leave the masquerade in?

    Basically with multiple public ip's, if you put a DNAT in, is it best practice to put a corresponding SNAT in?

  • 0 in reply to Louis-M

    If there's a reason, yes, but I otherwise like to keep things simple.  I'd do it with a mailserver or a server dedicated to a single customer or ...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML