Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 4291 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM using Masquerade not NAT

ct-eq8

Hi,

I'm seeing some strange behaviour for NAT of DMZ traffic out to the Internet. Traffic is allowed both outbound and inbound;

 

There is a masquerade rule in place for the internal network;

Source: Internal_Network (10.0/8 and 192.168.0/16)
Interface: External
Use Address: <<Primary Address >> (x.x.144.58/29)

 

There are also specific NAT rules in place for the DMZ network above (10.10.50.0/24);

 

However, a tcpdump shows that HTTPS traffic out to the internet is sitting behind the Primary Address (x.x.144.58) and not the SNAT address (x.x.144.61)

 

<M> utm01:/root # tcpdump -v -nni eth1 host 35.156.229.155 and tcp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:20:33.243219 IP (tos 0x0, ttl 64, id 62526, offset 0, flags [DF], proto TCP (6), length 60)
 x.x.144.58.39422 > 35.156.229.155.443: Flags [S ], cksum 0x64d1 (incorrect -> 0x256d), seq 2987452050, win 29200, options [mss 1460,sackOK,TS val 81203884 ecr 0,nop,wscale 7], length 0
11:20:33.559246 IP (tos 0x0, ttl 39, id 0, offset 0, flags [DF], proto TCP (6), length 60)
 35.156.229.155.443 > x.x.144.58.39422: Flags [S.], cksum 0x2142 (correct), seq 1583871935, ack 2987452051, win 28960, options [mss 1460,sackOK,TS val 713589850 ecr 81203884,nop,wscale 7], length 0

 

Any ideas what might be affecting that? I'm checking on the routing to see if there is anything that needs to be updated there.

Thanks,

Colin



This thread was automatically locked due to age.
Parents
  • +1

    Hi Colin and welcome to the UTM Community!

    First, a detail that's rarely important, but a good habit nonetheless.  Make all Additional Addresses /32.

    Your traffic is going out through the HTTP Proxy.  You will want a separate Profile for the DMZ and to use the instructions in How to change the outgoing interface for Web Filtering.

    To understand better why this works this way, check #2 in Rulz.  Also see Doug Foster's take on some of this: READ ME FIRST: UTM Architecture.

    You also might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you for the details on that, much appreciated. I'd read through the rulz and seen a few other posts around the HTTP Proxy or web filtering. I'd added an exception to the base policy for the outbound URL but that hadn't changed anything.

    I've enabled the interface option for the Web Filtering Profiles and created a new profile for the DMZ networks that is set to allow only a specific set of subnets and will use the additional address on the External interface - image below in case anyone else needs it;


    tcpdump shows that this is working as expected now;

    <M> utm01:/root # tcpdump -nni eth1 host 35.156.229.155
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    09:03:34.537858 IP x.x.144.61.31047 > 35.156.229.155.443: Flags [S ], seq 4176990021, win 29200, options [mss 1460,sackOK,TS val 100749208 ecr 0,nop,wscale 7], length 0
    09:03:34.841003 IP 35.156.229.155.443 > x.x.144.61.31047: Flags [S.], seq 3785050255, ack 4176990022, win 28960, options [mss 1460,sackOK,TS val 733135328 ecr 100749208,nop,wscale 7], length 0
    09:03:34.841167 IP x.x.144.61.31047 > 35.156.229.155.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 100749284 ecr 733135328], length 0


    Cheers,

     

    Colin

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you for the details on that, much appreciated. I'd read through the rulz and seen a few other posts around the HTTP Proxy or web filtering. I'd added an exception to the base policy for the outbound URL but that hadn't changed anything.

    I've enabled the interface option for the Web Filtering Profiles and created a new profile for the DMZ networks that is set to allow only a specific set of subnets and will use the additional address on the External interface - image below in case anyone else needs it;


    tcpdump shows that this is working as expected now;

    <M> utm01:/root # tcpdump -nni eth1 host 35.156.229.155
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    09:03:34.537858 IP x.x.144.61.31047 > 35.156.229.155.443: Flags [S ], seq 4176990021, win 29200, options [mss 1460,sackOK,TS val 100749208 ecr 0,nop,wscale 7], length 0
    09:03:34.841003 IP 35.156.229.155.443 > x.x.144.61.31047: Flags [S.], seq 3785050255, ack 4176990022, win 28960, options [mss 1460,sackOK,TS val 733135328 ecr 100749208,nop,wscale 7], length 0
    09:03:34.841167 IP x.x.144.61.31047 > 35.156.229.155.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 100749284 ecr 733135328], length 0


    Cheers,

     

    Colin

Children
No Data
Unfiltered HTML