Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 7196 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Want Internal server with unique external IP address on XG210

Greg Francis

I'm in the process of migration from an Cisco ASA5505 to a Sophos XG210. FW is SFOS 17.0.6 MR-6.

I have a block of 32 IP addresses and I want to map some of those IP addresses to individual servers on the internal LAN. From what I can tell, that means setting up DNAT per the instructions https://community.sophos.com/kb/en-us/122976. This works for inbound traffic but as soon as I enable "Reflexive Rule" so that the internal server can initiate connections with the external IP, I can no longer connect to the Internet using that internal server. Without the reflexive rule, the server connects to the Internet fine but has the default external IP for the WAN port.

One of the servers is my internal SMTP relay. I want it to have a dedicated IP for connecting to Office 365 as an authorized relay and it will be generating SMTP traffic. I don't want any inbound SMTP connections from the WAN to that server. I would actually be happy to have no inbound connections from the WAN to the internal SMTP relay.

How do I set that up?

 

 

 



This thread was automatically locked due to age.
  • 0

    Hi,

    as a workaround, you can go with another (second) rule, which takes the explicit LAN - WAN Traffic and uses the correct MASQ IP.

    But if you want to go with the reflexive rule, would recommend to dig deeper in the dump. I´m not aware of any limitation regarding reflexive rule and DNAT on alias interfaces.

    Cheers

    __________________________________________________________________________________________________________________

  • 0

    Hi Greg,

    I understand your internal SMTP relay server needs to go out throguh specific ISP IP, not the default Port IP. If this is the case, you can use Source NAT. 

    1. Create a LAN to WAN network Rule
    2. Select your server only in the source list
    3. Scroll down towards "NAT & Routing"
    4. Select "Masquerading"
    5. From the MASQ drop-down click "Create New"
    6. Enter the Public IP address you require and save
    7. Ensure to select correct Primary Gateway
    8. Save the rule
    9. Move the rule to top order

    ""It would be good if you can add that public IP as an Alias to the interface

  • 0 in reply to ce_Sophos

    Thanks to both answers. These both addressed my issue.

Unfiltered HTML