Sophos Firewall v22 EAP is now available! Click here to learn more.

Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT - IP Range doesn't work.

Drobo

Hello,

 

I'm migrating from Juniper that has a NAT Pool set-up and I'm trying to create the same solution on the Sophos. I have raised a support ticket with Sophos, the response from support doesn't resolve the issue. They did a remote session and started to blame the switch that is in the middle of the two endpoints.

 

Issue:

I need to go from LAN zone to Datacentre zone and pool a range of IP's used in the NAT. I can't do a Source NAT (many to one) as the applications don't like this method.

Zone LAN: 10.10.0.0/24 | GW 10.10.10.254 VLAN Interface IP

Zone DataCentre: 192.168.10.0/24 | GW 192.168.10.254 VLAN Interface IP

NAT IP Range: 192.168.10.121 - 199  = 78 IP's

 

Sophos XG        ->  WAN LINK   ->    Datacentre Router

192.168.10.254                                 192.168.10.1

 

Support Response:

Support explained how to create a pool of IP address's for the firewall rule.

1. Go to firewall rule
2. Advanced> NAT & routing> enable Rewrite source address (masquerading)> Use outbound address> Create new
3. Enter name for Add NAT policy> IP address> Create New> IP range>  Save

When I put this IP Range in place, the IP's are changing to the NAT Range. Wireshark shows that no traffic flows.

No.     Time           Source                Destination           Protocol Length Info
 27   23.811303      192.168.10.121        192.168.10.1          ICMP     74     Echo (ping) request  id=0x0001, seq=6692/9242, ttl=127 (no response found!)
 28   23.811461      HonHaiPr_a2:93:57     Broadcast             ARP      42     Who has 192.168.10.121? Tell 192.168.10.1
 29   24.572072      HonHaiPr_a2:93:57     Broadcast             ARP      42     Who has 192.168.10.121? Tell 192.168.10.1

 

If I assign the IP address to the VLAN interface on the XG (the same as you do when creating a SNAT), Wireshark shows the return traffic and the Host can ping even though the NAT IP Range is still in place.

No.     Time           Source                  Destination                       Protocol Length Info

11   17.138975      192.168.10.121        192.168.10.1                   ICMP     74     Echo (ping) request  id=0x0001, seq=6664/2074, ttl=127 (reply in 14)
12   17.139153      HonHaiPr_a2:93:57     Broadcast                     ARP      42     Who has 192.168.10.121? Tell 192.168.10.1
13   17.139237      Tecnomen_65:b7:9e     HonHaiPr_a2:93:57    ARP      60     192.168.10.121 is at 00:e0:20:65:b7:9e
14   17.139249      192.168.10.1          192.168.10.121                ICMP     74     Echo (ping) reply    id=0x0001, seq=6664/2074, ttl=128 (request in 11)
15   18.139835      192.168.10.121        192.168.10.1                  ICMP     74     Echo (ping) request  id=0x0001, seq=6665/2330, ttl=127 (reply in 16)
16   18.139979      192.168.10.1          192.168.10.121                ICMP     74     Echo (ping) reply    id=0x0001, seq=6665/2330, ttl=128 (request in 15)

Do I need to add 78 IP alias's to my interface to make this work, How many alias's can the interface take?



This thread was automatically locked due to age.