NAT reflection DMZ to LAN

Hi,

i would like to do a  "NAT reflection" in XG but from a DMZ (actually a guest WLAN) to LAN using the public IP, forwarding back inside to the LAN

I have seen how LAN back into LAN is explained in https://community.sophos.com/products/xg-firewall/f/network-and-routing/73239/nat-reflection

Can it be done?

Thanks

  • Hi  

    Yes, you would be able to configure this NAT reflection (Hairpin) rule as per that community thread.

    In your situation:

    Create business application rule (DNAT/Full NAT/Load Balancing)

    • Source Zone: DMZ
    • Source Network: Any
    • Destination host/network: Public IP
    • Services: Define the services used
    • Protected Server: LAN IP of server
    • Protected Zone: LAN
    • Rewrite Source Address (masquerading): Enabled
    • Use outbound IP: LAN interface GW IP
    • Log Firewall Traffic: Enabled

    Please let me know if you had any issues.

    I will follow up with our KB team in regards to publishing an article regarding this.

  • In reply to FloSupport:

    Thanks for the answer!

    When i choose "Rewrite Source Address (masquerading): Enabled" i also have to choose "use outbound address" what to choose there?

    Do i create and use the address of the fw-interface for this network?   

    Since it is a WLAN (a wlan-router involved), is there a problem with the tcp connections (port 443) going back and forth?

    XG330 SFOS 17.1.3 MR-3

  • In reply to Intern Support:

    Yes, you could use the default "Masq" default definition, as this would NAT to the IP of the egress interface (LAN interface). Or you can also create a new IP host object for your LAN interface IP, and specifically use this for your NAT policy.

    There shouldn't be any issues as the XG is a stateful firewall and will know where to forward the traffic to.

    Regards,

  • In reply to FloSupport:

    Thanks!

    Right now i have one forward rule for access from the internet and one for access from the wlan, both to access the same lan device via https, is there any way i can make this one rule?

    do i also need to MASQ the accept rule that allow services on the internet, like dns, https and so on, and what NAT policy?

    If yes, does it mean i always have to use masquerading on rules handling traffic to the internet?

    Regards

  • In reply to Intern Support:

    Hi  

    This will have to be two separate rules, as one rule is meant for outside internet users (no NAT) and one for hairpinning WLAN users (NAT).

    For internal wireless/LAN traffic that is destined for the WAN zone (internet), you will need to have masquerading enabled (NAT to your public IP). Private network IP traffic will be dropped by ISP routers.

    Regards,

  • In reply to FloSupport:

    Ok,

    Thanks

    If i would like to allow certain traffic from LAN to all the other networks including the internet, do i have to create two rules.

    1. for the internet that is using MASQ

    2. for all the other networks

     

    How do i define the internet?

    Destination Zone ? WAN i guess

    Destination Network ? #Port2 (but thats just one IP) or do i create a network range like 0.0.0.1 - 255.255.255.254

    Sincerly

     

     

  • In reply to Intern Support:

    Hi  

    Yes you would have to create 2 separate rules for this. As your LAN to WAN firewall rule will need to have masquerading enabled, while your LAN to other local zones (DMZ/LAN) will not.

    • Destination Zone: WAN
    • Destination Network: ANY (meaning any public IP address)

    Please also make sure that your hairpin DNAT rule we originally discussed for LAN traffic accessing your internal server through it's WAN IP, remains at the top of your firewall rule list.

  • In reply to FloSupport:

    Thanks

    Just for understanding, why do i need to keep the  "hairpin DNAT rule" at the top of the list?

    Sincerely

  • In reply to Intern Support:

    To ensure that this rule is processed first, in the event you create any other firewall rules that could interfere.

  • In reply to FloSupport:

    Ok,

    is it working ta add my wireless lan to the WiFi zone or does it affect the network in any way except from the "device access" options (policies)?

    Sincerely 

  • In reply to Intern Support:

    To confirm, I would need to take a look at how your current setup is configured. Enable the support access tunnel on your appliance and PM me with your ID.

    Regards,

  • In reply to FloSupport:

    Hi,

    it is not possible right now since the XG is not in service at the moment.

    My knowledge is that zones is just for handling policies in a easier way, ports that belong to the same zone share the same policies.

    Policies = "admin services", "authentication services, "network services" and "other services" accessed on the XG device.

    They do not affect traffic going through the XG, RIGHT? (i just want to make sure i understand ZONES).

  • In reply to Intern Support:

    Hi,

    Yes, that is correct about zones making policy administration easier.

    However, I'm unsure of your question relating to not affecting traffic going through the XG?

    Policies include firewall rules, which are configured to determine what traffic is allowed to go through the firewall and what type of traffic scanning/proxying occurs.

  • In reply to FloSupport:

    Hi,

    example:

    If a rule has source zones "lan" and source network and devices  "any" it means that all ports in that zone is included.

    Is that it or is it more to it? can you use zones in any other ways?

    sincerely

  • In reply to Intern Support:

    Apologies for the confusion, yes that is correct.