This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUTM on AWS - NAT whilst retaining original IP

Hi there

Trying to setup an inbound NAT rule from 0.0.0.0/0 , to a server sitting inside of a VPC inside AWS on a private subnet.

I have setup the NAT rule as below and can see the traffic passing. The VPC routing inside of the VPC is set to direct traffic to the Network interface of the Sophos for any traffic that is 0.0.0.0/0

The issue is the server I have is a SFTP server, and it blocks traffic from specific IP's on repeated failed attempts e.g. if someone tries to brute force the SFTP server it will blacklist the IP address. Therefore I need the firewall to not translate inbound traffic and retain the original WAN IP addresses that are trying to connect to the Sophos firewall. Otherwise the SFTP will block the IP address of the Sophos firewall IP and nobody will be able to access to the SFTP Server (Because the SFTP server would see only the translated IP address of the Sophos).

Is it possible to do a NAT whilst retaining the original IP of the person sending traffic into our SFTP server?

This thread was automatically locked due to age.

Parents

0 BAlfson over 6 years ago

Your NAT rule should do what you want. If your SFTP server is not receiving the public IP of the client as the source of the packets, then the issue is in your AWS configuration.

Just for the sake of clarity, you might want to use "Internet" instead of the "Any" object.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 zzzp8 over 6 years ago in reply to BAlfson

I can't actually even get the NAT working.

Has anyone successfully done a NAT on AWS ? I can't see any guides from Sophos either around how to do it. Surely it's possible.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to zzzp8

Ahhh - I think I answered too quickly before. Try a Full NAT instead with the source changed to "SophosSFTP (Address)."

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 6 years ago in reply to zzzp8

Ahhh - I think I answered too quickly before. Try a Full NAT instead with the source changed to "SophosSFTP (Address)."

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 zzzp8 over 6 years ago in reply to BAlfson

I got this working.

The issue is that SophosUTM does not seem to be able to do a NAT or work properly on AWS, with a 2nd interface attached - in this case an ENI. Whilst I can access the Sophos using the 2nd Interface IP , I am unable to NAT traffic via it. This seems to be a bug or just straight up doesnt work.

Instead, to be able to NAT to a second IP address, the IP address must be added as a secondary IP address to the Primary ENI in AWS. Then the IP address must be added as an Additional IP Address to the ENI in the Sophos, and then a NAT can be built.

This is something that should be investigated by the Sophos Dev team.
Cancel
Vote Up 0 Vote Down

Cancel
0 zzzp8 over 6 years ago in reply to zzzp8

Some documentation from Sophos around this would be good. The documentation is poor and has been poor for a long time.
Cancel
Vote Up 0 Vote Down

Cancel