This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Effective Masquerading Rule

Hello,

Could anyone help me understand the concept of Masquerading rules? I am not able to wrap my mind around what exactly they do?

Also what is the most effective rule to apply for RED networks when running in either split or unified mode?

Thanks a ton!



This thread was automatically locked due to age.
Parents
  • Do the following Google and select the first link...

    site:community.sophos.com/products/unified-threat-management/f masquerading rule

    You must also have a masq rule for the network behind the RED in unified mode.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • So, essentially Masquerading is another form of SNAT.

    However, in my setup, internet connectivity doesn't get established for a RED (working in split mode) network until we define a MSQ rule. It would make sense (at least to me) when the RED is working in unified mode to define the MSQ rule but not in split mode. Could you please explain. 

    Thanks!

  • If the Split mode configuration includes any public IP (or all of them as with the "Internet IPv4" object), then a SNAT or masq is needed so that the packet leaves the WAN interface with an IP routable on the Internet.

    If you need a masq/SNAT for traffic coming from the RED tunnel and going to an internal IP, then you have an error in your configuration somewhere.  See #3 through #5 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Currently my RED 01 (HQ) network is configured in Split mode with the following assets in Split Networks box:

    1. Internal network

    2. Windows Sever 2012 (which is connected to RED 02 network).

    Since RED 01 is working in split mode, shouldn't I be able to surf the website lets say www.google.com without defining a MSQ rule?

    As per my understanding, in split mode all internet activities should go straight out of RED 01 network to whatever public IP I am trying to access with RED 01's Public IP (provided by the ISP) as the source address. Right? If that is case, then why define a MSQ rule to convert the RED 01 traffic's source address to WAN address? What is the point of split mode then?

     

    Thanks,

  • In Split, you don't need a masq rule for the subnet behind the RED Unless there are public IPs in the tunnel.  With just "Internal (Network)" in the tunnel, no masq should be needed.

    If you need a masq rule into your LAN like '{RED subnet} -> Internal', then you have an error in your configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob!

    I would really appreciate if you could take look at the two attached images.

    Internet access on VJPL network only works if we define the MSQ rule. What could we be doing wrong?

     

    Thanks a ton!!

Reply Children