Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 12252 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT or Masquerade issue

SteveHart

I've installed a WSUS server on one subnet and I have workstations on another. My UTM is in between the two subnets. A third UTM interface connects to the internet. The workstations are failing to communicate with the WSUS server and the think the problem is some NATting that's going on in the UTM. The workstations show up on the WSUS server, but they all show the external IP of the UTM, rather than the internal IP of the workstations.

I don't have any specific SNAT entries for the workstations.

I do have a SNAT entry from the workstation subnet to IPv4 that uses this exact IP. My understanding is that's only applied to internet bound traffic.

I also have a masquerading rule from Any to the Internet interface. This also uses the same IP.

Any ideas where I've gone wrong?

 



This thread was automatically locked due to age.
Parents
  • 0

    If Kevin's suggestion didn't fix the issue, do you get any hints from Accessing Internal or DMZ Webserver from Internal Network?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I don't have any specific SNAT entries for the workstations.

    I do have a SNAT entry from the workstation subnet to IPv4 that uses this exact IP. My understanding is that's only applied to internet bound traffic.

    I also have a masquerading rule from Any to the Internet interface. This also uses the same IP.

     

    My understanding with the above:

    1. The masquerading rule will make the workstations appear as your WAN interface to the web. OK

    2. The SNAT rule to any IPV4 will make your workstations appear as that IP to your WSUS server. This looks wrong to me as you do not want that. Don't use NAT for this and create your FW rules for the WSUS ports.

Reply
  • 0 in reply to BAlfson

    I don't have any specific SNAT entries for the workstations.

    I do have a SNAT entry from the workstation subnet to IPv4 that uses this exact IP. My understanding is that's only applied to internet bound traffic.

    I also have a masquerading rule from Any to the Internet interface. This also uses the same IP.

     

    My understanding with the above:

    1. The masquerading rule will make the workstations appear as your WAN interface to the web. OK

    2. The SNAT rule to any IPV4 will make your workstations appear as that IP to your WSUS server. This looks wrong to me as you do not want that. Don't use NAT for this and create your FW rules for the WSUS ports.

Children
Unfiltered HTML