Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 8507 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUTM on AWS - NAT whilst retaining original IP

zzzp8

 Hi there

 

Trying to setup an inbound NAT rule from 0.0.0.0/0 , to a server sitting inside of a VPC inside AWS on a private subnet.

 

I have setup the NAT rule as below and can see the traffic passing. The VPC routing inside of the VPC is set to direct traffic to the Network interface of the Sophos for any traffic that is 0.0.0.0/0 

 

The issue is the server I have is a SFTP server, and it blocks traffic from specific IP's on repeated failed attempts e.g. if someone tries to brute force the SFTP server it will blacklist the IP address. Therefore I need the firewall to not translate inbound traffic and retain the original WAN IP addresses that are trying to connect to the Sophos firewall. Otherwise the SFTP will block the IP address of the Sophos firewall IP and nobody will be able to access to the SFTP Server (Because the SFTP server would see only the translated IP address of the Sophos).

 

Is it possible to do a NAT whilst retaining the original IP of the person sending traffic into our SFTP server?

 

 

 



This thread was automatically locked due to age.
  • 0

    Your NAT rule should do what you want.  If your SFTP server is not receiving the public IP of the client as the source of the packets, then the issue is in your AWS configuration.

    Just for the sake of clarity, you might want to use "Internet" instead of the "Any" object.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I can't actually even get the NAT working.

     

    Has anyone successfully done a NAT on AWS ? I can't see any guides from Sophos either around how to do it. Surely it's possible. 



  • 0 in reply to zzzp8

    Ahhh - I think I answered too quickly before.  Try a Full NAT instead with the source changed to "SophosSFTP (Address)."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I got this working.

     

    The issue is that SophosUTM does not seem to be able to do a NAT or work properly on AWS, with a 2nd interface attached - in this case an ENI. Whilst I can access the Sophos using the 2nd Interface IP , I am unable to NAT traffic via it. This seems to be a bug or just straight up doesnt work.

     

    Instead, to be able to NAT to a second IP address, the IP address must be added as a secondary IP address to the Primary ENI in AWS. Then the IP address must be added as an Additional IP Address to the ENI in the Sophos, and then a NAT can be built.

     

    This is something that should be investigated by the Sophos Dev team.

  • 0 in reply to zzzp8

    Some documentation from Sophos around this would be good. The documentation is poor and has been poor for a long time. 

  • 0

    I've moved this thread to the UTM on AWS forum.  You might PM Sachingurung to see if there's documentation about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    For clarification, a full NAT is required not because there's an issue with UTM, rather this is a requirement for the traffic to not be dropped by AWS as it leaves the UTM's interface.  I'm not 100% sure the reason.  I use to think that AWS would block any traffic traversing the VPC who's source IP address wasn't within the network range of the VPC....or even that AWS didn't allow public IP addresses to be kept as source IP addresses within VPCs, but I've never been able to find any specific AWS documentation related to this.  All I know is if you sniff the traffic with a DNAT, the traffic will leave the UTM's interface but not get to the instance.  A full NAT fixes this.  

    As to issues NATing with more than 1 network interface, there's no specific issues with this on UTM that I'm aware of.  If you experience issues with this again in the future, please reach out to Support so we can have a look.

    Tim

Unfiltered HTML