Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 11103 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT not working when applying WAN ip address object(created by custom)

asl hknwk

Hi all,

 

I am new on this product and have search around the internet and this forum for a couple of day with no luck. 

My problem is the NAT not working when applying WAN ip address object(created by custom), but it will work if i apply the wan interface ip address (created by wizard).

My network config:

Firewall WAN interface: 100.10.10.1/24 gw 100.10.10.254

Firewall DMZ interface: 192.168.10.1/24

 

My requirement is simple, let's say config NAT rules for public user to access my DMZ servers:

DMZ server A: LAN ip address 192.168.10.10 nat to 100.10.10.10 with HTTP,HTTPS and RDP services.

DMZ server B: LAN ip address 192.168.10.20 nat to 100.10.10.20 with SSH

 

Action token:

1) tested the wan ip address object is working fine at another brand of firewall

2) trace on the live log, cannot see any log is related to NAT rules

3) re-definite the wan and dmz ip address object to blind to "any" interface

4) create additional ip address for those wan ip address then apply to the NAT rules



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Not sure if I understand what you mean for Action token #3 but your DNAT rule should look similar to below image for DMZ Server B: 

    After you create the DNAT rule, make sure you toggle it ON so it turns GREEN

    If your DNAT rule is the same as above, please post snip of the Additional Addresses you created.

     

    Thanks,

    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to Karlos

    Hi Karlos,

     

    Thank you for the reply, My DNAT is look similar as yours and checked is turned ON.

    Do you mean that i need to create  Additional Address that will be used for NAT at "Interface & Routing" then apply them to the NAT rules rather than apply the wan ip object created in "User & Definition"?

    I am sorry i dont understand the different of this 2 type of object. And about the NAT rules it will be working when i apply my wan interface ip which is 100.10.10.1(address) but other wan ip address within the subnet except the wan interface ip address are not woring.

    The test i did: 

    Changed the wan interface ip address from 100.10.10.1 to 100.10.10.10 then the NAT rules with this wan ip address will be working, but the 100.10.10.20 NAT rules still no response,

    Then change the wan interface ip address from 100.10.10.10 to 100.10.10.20, at this time the NAT rules with 100.10.10.20 wan ip address will be working but 100.10.10.10 will not working again. Please advise.

     

    Many thanks!

  • 0 in reply to asl hknwk

    Hi, and welcome to the UTM Community!

    Yes, using an Additional Address is the right thing. See #4 in Rulz to gain a better understanding.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to asl hknwk

    Could you confirm you have the similar following 2 entries below under Interfaces & Routing > Interfaces > Additional Addresses:

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to BAlfson

    Thank you for the information. 

     

  • 0 in reply to Karlos

    Hi Karlos,

    Yes, i have created the similar additional address in  Interfaces & Routing > Interfaces for 100.10.10.10 and 100.10.10.20 then apply the "Address" to the NAT rules, but the NAT Rules is not working.And then i tried to custom create the address definitions for that 2 wan ip address then apply to the NAT rules, but the problem persists.

    These days, i watched and found lots of video and guide for the NAT configure on Sophos SG, unlucky all the materials are using the wan interface ip address to apply to the NAT rules, none of them are applying another wan ip address like my case.

    May i have any configure guide on NAT that applying wan ip address but not the wan interface ip address?

     

    Many thanks!!

  • +1 in reply to asl hknwk

    Hi  

    We have a guide for DNAT setup with an additional address for Astaro Security Gateway: Astaro Security Gateway: How to Port Forward Service Ports with NAT

    Scenario 3 will apply to your situation. The instructions will be slightly different. You can disregarded step 3 (Create Packet filter access). The equivalent of this is ticking the checkbox 'Automatic firewall rule' under the Action section of your NAT configuration.

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Reply Children
Unfiltered HTML