NAT reflection DMZ to LAN

Hi,

i would like to do a  "NAT reflection" in XG but from a DMZ (actually a guest WLAN) to LAN using the public IP, forwarding back inside to the LAN

I have seen how LAN back into LAN is explained in https://community.sophos.com/products/xg-firewall/f/network-and-routing/73239/nat-reflection

Can it be done?

Thanks

  • Hi  

    Yes, you would be able to configure this NAT reflection (Hairpin) rule as per that community thread.

    In your situation:

    Create business application rule (DNAT/Full NAT/Load Balancing)

    • Source Zone: DMZ
    • Source Network: Any
    • Destination host/network: Public IP
    • Services: Define the services used
    • Protected Server: LAN IP of server
    • Protected Zone: LAN
    • Rewrite Source Address (masquerading): Enabled
    • Use outbound IP: LAN interface GW IP
    • Log Firewall Traffic: Enabled

    Please let me know if you had any issues.

    I will follow up with our KB team in regards to publishing an article regarding this.

  • In reply to FloSupport:

    Thanks for the answer!

    When i choose "Rewrite Source Address (masquerading): Enabled" i also have to choose "use outbound address" what to choose there?

    Do i create and use the address of the fw-interface for this network?   

    Since it is a WLAN (a wlan-router involved), is there a problem with the tcp connections (port 443) going back and forth?

    XG330 SFOS 17.1.3 MR-3

  • In reply to Intern Support:

    Yes, you could use the default "Masq" default definition, as this would NAT to the IP of the egress interface (LAN interface). Or you can also create a new IP host object for your LAN interface IP, and specifically use this for your NAT policy.

    There shouldn't be any issues as the XG is a stateful firewall and will know where to forward the traffic to.

    Regards,

  • In reply to FloSupport:

    Thanks!

    Right now i have one forward rule for access from the internet and one for access from the wlan, both to access the same lan device via https, is there any way i can make this one rule?

    do i also need to MASQ the accept rule that allow services on the internet, like dns, https and so on, and what NAT policy?

    If yes, does it mean i always have to use masquerading on rules handling traffic to the internet?

    Regards

  • In reply to Intern Support:

    Hi  

    This will have to be two separate rules, as one rule is meant for outside internet users (no NAT) and one for hairpinning WLAN users (NAT).

    For internal wireless/LAN traffic that is destined for the WAN zone (internet), you will need to have masquerading enabled (NAT to your public IP). Private network IP traffic will be dropped by ISP routers.

    Regards,