Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 9488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrating a SNAT + DNAT rule from Arkoon FAST360 to Sophos SG : Full NAT ?

Laurent Persat

At a customer site we must migrate from an Arkoon FAST360 to a SG UTM.

The customer is in Belgium and using a Mobistar internet link

The Mobistar router is using 172.16.0.1 address with the WAN eth of Arkoon/SG using 172.16.0.254 address

Some years ago some NAT rules were setup in the Arkoon to enable remote customer sites, both VPN and public ip, to connect to a web server trough a special Arkoon NAT rule that was dnatting 443 to an internal webserver at 192.168.200.200 (in a DMZ network) and snatting with the address of Mobistar router 172.16.0.1

It was working that way because of the Mobistar router using some unknown NAT as is the entry point for both private network VPN and public address sources.

 

So we've setup a Full NAT rule on the SG going to replace the Arkoon at the site, but with no success as of today.

Our Full NAT rule is set for the DNAT the same way as the Arkoon and SNAT with a network host defined to the Mobistar address 172.16.0.1

When we were trying to swap the Arkoon for the Sophos SG, the SNAT part of the rule doesn't seem to work, so all of the remote sites were kept out of the web server.

SNAT part solely masquerade destination to the Mobistar address.

Our SG is currently running 9.355 as the Mobistar does not allow SG update at the moment (usually we upgrade to 9.411)

 

Can it be a 9.355 flaw or was my Full NAT rule not the right SG translation of what is was doing with the Arkoon FAST360 ?

 

Note : I'm french

Edit : added screens of Arkoon rule



This thread was automatically locked due to age.
  • 0

    Salut, Laurent, and welcome to the UTM Community!

    You don't want a Full NAT as it is not the same thing as the combination of DNAT and SNAT:

    DNAT
    In a packet arriving at the UTM, it replaces the Destination IP with a different IP (typically, a public IP is replaced by an internal IP).

    SNAT
    In a packet leaving the UTM, it replaces the Source IP with a different IP (typically, an internal IP is replaced by a public IP).

    Full NAT
    In a packet arriving at the UTM, it replaces the Source and Destination IPs with different ones (typically, public IPs are replaced by internal IPs).

    Est-ce plus clair expliqué comme ça?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    I've added some screens of my original Arkoon rule where you can see it with both SNAT and DNAT active (there nothing named "Full NAT").

    Do you have some advice on how to "translate" that into an UTM ?

    Note : don't ask me about the Mobistar routing as it is unknown to me. Only experiments had driven me to write the Arkoon rule that way.

     

    Cheers - Laurent

  • 0 in reply to Laurent Persat

    If the public IP you would use in the SNAT is the primary IP of the External interface and you have a masquerading rule like 'DMZ (Network) -> External', you don't need the SNAT.

    First create a Network Group (I'll call it "Clients") containing "Boutiques," "Boutiques hors Belgique" and "Réseaux IPVPN."  I'll assume you have an Additional Address named "Serveur CWAS" defined on the External interface.

    DNAT : Clients -> CWAS HTTPS -> External [Serveur CWAS] (Address) : HTTPS to Serveur CWAS DMZ
    SNAT : Serveur CWAS DMZ -> Any -> Clients : from External [Serveur CWAS] (Address)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for your advice

     

    If I understand it well, I must forget the Full NAT to do two separated rules, one DNAT and one SNAT.

    We'll give it a try as soon as possible.

     

    I'll give you feedback when done

     

    Cheers

    Laurent

Unfiltered HTML