One to one NAT or assign a public IP to an interface.

Hello All,

     We decided to place our UTM 9 (SG-430) between our Cisco ASA and our Cisco 6500 Switch.

With that stated, we did not have to assign a public address on any interface. 

In essence we have been using the UTM as a secondary scrub of our network.

It also gives us more granular controls to users/network traffic(above layer 3).

We are using the Cisco ASA for S2S IPsec Connections and the Cisco AnyConnect Client.

Well, we now would like to use the UTM's VPN solutions like HTML5, client VPN, RED, etc..

Given the top level view, what implementation has been more reliable for those which may have a similar design?

1. Giving a One to One NAT assignment to the UTM (Public to Private).

2. Setting up a public IP on an interface(for VPN clients) then directing the traffic to exit the UTMs internal GW, our Core Switch. 

3. ?

Both methods will get a public DNS assignment which will be pointing to their respective public IP. 



  • Hi, Mario, and welcome to the UTM Community!

    If you're not going to use IPsec, both of your methods will work.  With IPsec, 1 is possible, but not elegant.

    Your topology is not clear.  Is the UTM currently bridged between your LANs and your Cisco or do you have only a single interface defined for each internal Ethernet segment or ???

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,


    Thanks for the response and advise.

    The UTM is indeed bridged. 


    WAN Router-->ASA-->UTM-If4-->bridged to UTM-If8-->Core Switch


    I have an appointment with an engineer from the Sophos Boston office next week. I will let you folks know what the recommendation is 

    with regards to our network. 



  • In reply to marioarellano:

    Sophos engineer coming around? My guess is they will recommend the UTM on the edge and ditch the ASA (just my guess though) unless there's anything there that can't be changed.

    We moved off the ASA's (5520's) and onto active/failover SG310's on our 2 core sites.

    We have ipsec vpn's site to site, roadwarriors, multiple leased lines, dmz's, smtp proxy, you name it, we have it. We also run the UTM in conjunction with Sophos endpoint protection (standalone, not the UTM variety as we have 1000 users)

    All in all, we're very happy with the purchase and it was far, far cheaper than Cisco. Don't get me wrong, I love our Cisco kit, routers, switches etc but the ASA at the time just wasn't cutting it at the time for what we wanted.

    With any product change, you will get things you like and things you miss. For me, I miss the realtime log viewer on Cisco but this is easily overcome with tcpdump and syslog.

    I've also found that once your firewall rules start getting high in terms of numbers of rules, the GUI isn't quite as clear as the Cisco although this doesn't detract from it's use etc. Just takes a little while getting used to.

    So all in all, we are very happy with the UTM so don't be afraid if the Sophos engineer advises putting it on the edge instead of the engineer.

    One piece of advice though is to read the sticky on here called RULZ especially if you are going to use the more exotic stuff on the UTM eg web protection, web application firewall, smtp proxy etc. For me, rule number 2 is the one that has tripped me a few times and it's vital to know in which order connections are processed. If you read that doc and take it in, you will have a good understanding of the UTM.

  • In reply to Louis-M:



       The engineer did indeed recommend trashing the ASA...LOL


    So, as most of you would foresee/suggest, the engineer recommended LOTS of NAT.


    Other tips: 

    - Ideal to have a public address per solution (i.e. RED, SSL, HTML5*)

    * He suggested strongly NOT to use HTML5 unless it was a small group (1-10).  I administer an SG430.

    -  Use the UTMs cert before using an external one.

    -  If you have to have Ikev2, which UTM does not, use a spare Cisco router if available. I do not so ASA will eventually will remain a VPN device for Ikev2 S2S connections. 

        The FW/NAT/ACLs will be moved over to the UTM, if we decide to stick to is.......has been a real sore spot lately. 


    Thank you folks for contributing.




  • In reply to Louis-M:

    "once your firewall rules start getting high in terms of numbers of rules, the GUI isn't quite as clear as the Cisco"

    It sounds like you might have created firewall rules like you would have in the Cisco, Louis.  If so, the GUI won't be as easy to read as was the Cisco's.  There are ways to reduce the number of rules and to create naming standards that make for an elegant rule set that's easy to search.  Someone that's doing it the first time doesn't understand enough about WebAdmin and how it works to even know to ask questions about these concepts.

    I've really been impressed with your level of knowledge and understanding and you've picked up quickly on things here.  Still, creating an elegantly-designed configuration before having a full understanding of WebAdmin is not possible.  If you've managed to do it, you are not only extremely bright, but also lucky! Wink

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    I will admit I got caught out a few times and still do with the odd bit. With the UTM doing so much ie web protection, smtp protection, web server protection etc, it is absolutely vital to understand the order of things particularly in which order packets enter and leave the UTM.

    The RULZ document that you have put together is the single most important document that you can read with this and I have to admit that I only glanced over it and that was after I fitted the UTM.

    Big mistake! Although I had the UTM up and running, there were things that I didn't understand that were happening which I believe are the most common issues that users repeatedly make with the UTM.

    For instance, the first thing to get on the internet is to create rules for DNS & web browsing as per most firewalls. This gets you up and running and then you think, I'll enabled web protection and all of a sudden you can't figure out why the UTM isn't blocking certain sites and ip's etc when you're trying to tighten things down.
    In the above case, what you should have done is not to create the FW rules to start of with as web protection allows you to surf without any FW rules. Same with the smtp proxy and web protection where you don't need DNATS for it to work.

    So for anybody keeping abreast of this thread, read the RULZ and read them again and take in those points because when things don't behave as they should, you can save yourself countless hours of scratching the head if you understand what order things are occurring.

    Back to the FW rules however Bob, I have condensed these down as much as I can and changed them countless times to do so. I'd be lost without Groups and descriptions etc.
    Unfortunately, I have to work to some documents for sign off ans when you have multiple DMZ's with very restrictive connections from one to the other, the FW rules can soon mount up and get hidden on different pages eg only show 10 per page etc

    Not saying it's bad, it just takes a little getting use to. It's like anything really, you will compare to what you had, the bit's you like and the bits you don't and coming from a Cisco where you pay a premium price, the chances are you had a fair bit anyway.

    To the OP, I'd say go for it but read the RULZ before you do, particularly rule #2. Learn tcpdump, get a good syslog into place and definitely consider using iView. Know the difference between the Cisco and the UTM eg static natting , DNAT, SNAT etc. Use the UTM features where you can eg mail protection rather than DNAT to smtp server. Same with web server protection etc.

    And finally...... use this forum. It makes for a great knowledge base and you will get a very fast reply from some very knowledgeable people who have vast amounts of experience and have more than likely encountered the same issues at some stage.

    Good luck....

  • In reply to Louis-M:

    "FW rules can soon mount up and get hidden on different pages eg only show 10 per page etc"

    There are interesting choices at the top of the rules display:

    And, on the 'User Preferences' tab of 'WebAdmin Settings', you can set that as the default for all lists.

    Cheers - Bob

  • In reply to Louis-M:

    I would like to compare your network topology to mine.  I am running Sophos Endpoints on my pcs, with Sonicwall being the Gateway, and the XG 310 doing email mta relay.  I have 4 cisco routers behind the firewall that are managed by Datacenter CompanyXYZ as they host some production servers offsite with a trusted domain that replaces to our domain for access to citrix servers there as well.

    I wasn't able to get everything working with the XG 310 so I installed the UTM on the XG boxes and going to test again.

    A reverse telnet connection to a Xyplex terminal server that routes it from my lan to a server in the remote datacenter that forwards that to another server.  The firewall is supposed to convert the layer 2 traffic to layer 3 on the way to the WLAN.

  • In reply to BAlfson:

    And therefore I think you should never use an 'Automatic Firewall rule' checkbox anywhere in NAT/SSL configurations in my opinion, because the automatic rules aren't shown by default, can't be grouped to specific rulegroups, etc. A reasonable firewall ruleset needs some planning and thinking, but with a bit discipline it is also clear to other admins viewing the full rulesets.

    In complex configurations I place a 'drop any other' at last rule in the different groups, where it makes sense. Which approach do you use, Bob? More zone-specific, like you would do it on a XG or Cisco ASA or more device (source/target) specific? That point often leads to misunderstandings at our company, my colleague comes more from the Cisco area and he uses ACL for each interface. Seeing my wild configured rulegeoups often confuses him :-D

    I tried, but I don't see a good way to group firewall rules on UTMs by zone/interface. For that I would need a subgroup feature

  • In reply to kerobra:

    I do try to stay away from the automatic rules and yes, I have grouped them by interface too eg DMZ_1 DMZ_2 etc but when you start getting 100 rules in there, it can get a little daunting.

  • In reply to kerobra:

    I always try to use auto rules in SSL VPN Remote Access profiles - a glance at that section is all that's needed to understand who has access to what.  Same for Site-to-Site where I see some people include everything in 'Local/Remote Networks' on both sides and then regulate with Firewall rules.  I prefer multiple tunnels so that I can see everything in one place.  Only when the requirement is to limit access to specific ports do I use manual rules.

    When it comes to complex Web Protection configurations with multiple Profiles, there are multiple firewall rules that are only visible at the command line using iptables commands.

    How is a zone in Cisco-speak any different than putting "Server (Network)" and "Storage (Network)" into a group called "Infrastructure" and then creating a firewall rule 'Infrastructure -> Any -> Infrastructure : Allow'?

    Cheers - Bob