This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF & NAT

Information only

We had an interesting one today. We use WAF for access to our Remote Desktop Gateway servers from the internet. Works fine.

We also have another connection from a partner service via a 100mb leased line. As it's sort of trusted, we thought we would use NAT to reach the same RDS gateway

Like so:
Internet > WAF > RDS Gateway 1
Partner Service > DNAT > RDS Gateway 1

Not so. The 2nd interface didn't work. It showed it was working in the firewall ie NAT, FW rules were working but we simply weren't getting a connection even though we could traceroute & ping.

Changing the 2nd interface to WAF worked straight away.

Like so:

Internet > WAF > RDS Gateway 1
Partner Service > WAF > RDS Gateway 1

 

So, a bit of a learning curver not to mix WAF with NAT if going to the same destination even if the sources are different.



This thread was automatically locked due to age.
  • Louis, I'm not understanding your notation.  You should have no problem NAT'ing certain public IPs past WAF, but I can't tell what you did.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • HI Bob,

    just to clarify (IP's made up)

     

    1.1.1.1 > WAF > 10.0.0.1
    2.2.2.2 > DNAT > 10.0.0.1

    The above didn't work as expected.

     

    1.1.1.1 > WAF > 10.0.0.1
    2.2.2.2 > WAF > 10.0.0.1

    Did work.

  • I still don't understand, Louis - it wasn't the IPs.  I don't get where you are doing what.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 1.1.1.1 > WAF > 10.0.0.1
    2.2.2.2 > DNAT > 10.0.0.1

    The above didn't work as expected. Top line (using WAF) works fine. RDS gateway (10.0.0.1) was reachable from the internet (1.1.1.1)

    For our 2.2.2.2 outside interface (100mb leased line), we put a DNAT rule using https to 10.0.0.1. Firewall rules etc were fine.

    In the FW logs, we could see the nat rule and FW rule get passed. 10.0.0.1 didn't seem to reply (for unknown reason). The routing was fine ie 2.2.2.2 could ping 10.0.0.1 and vice versa. Nothing appeared to be getting blocked  and it was a bog standard DNAT setup.

    Due to it not working, we then changed to WAF (new virtual server) on 2.2.2.2 (instead of DNAT > 10.0.0.1) and it worked.
    We can only assume that DNAT didn't work due to it going to the same internal server that was already being WAF'd (albeit from a different interface ie 1.1.1.1)

    To be honest, WAF is better because it allows us to specify more than one RDS gateway to use ie hot standby or load balanced (whereas a DNAT would only go to one server)

  • Americans and English - two peoples separated by a common language. ;-)

    Maybe pictures of what you're describing, Louis?  WAF, DNAT, etc.

    Instead of a plain NAT, you could use Server Load Balancing which is just a specialized version of working with the INPUT stream like DNAT does.  You also have more control over balancing than with WAF.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA