Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pass public IP address to device behind XG without NAT

Hi experts. My ISP has given me a range of public IPs - say for example 125.10.10.1/30. So I have 2 usable addresses - 125.10.10.1 and 125.10.10.2.

Say interface port B is setup as my WAN and interface port A is my LAN (with a subnet of 192.168.25.1/24)

I want to keep 125.10.10.1 as the main WAN address for my LAN network. For this I have a standard MASQ and it works fine.

However, I have a tenant whose router is plugged into port C. I want to allocate the IP 125.10.10.2 to them - but I don't want to do any NAT. Their router should be configured with the IP address 125.10.10.2 and all traffic to that IP should go straigh to that port with no NAT.

I understand I need to create an alias for IP 125.10.10.2? But apart from that, I'm not sure how I configure this. Do I simply create a new interface on port C with the IP address of 125.10.10.2? Do I need to create an SNAT rule for traffic coming from Port C so it traffic to the Internet from that port has the IP 125.10.10.2 rather than the default IP of 125.10.10.1?

Thanks for any help you can provide. I have tried Googling this, but I'm obviously not getting my GoogleFu terminology correct.



This thread was automatically locked due to age.
Parents
  • Hi,

    I will answer again, this time remembering to save the post.

    What you are trying to do will not work because you will need two addresses on your internal LAN, one for the LAN (XG) interlace and one for the router external interface.

    You should be able to setup a rule that allows the LAN to WAN without using a NAT when you have two addresses on the internal LAN.

    You could try creating a bridge which would mean you would not need an extra address.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian and thanks for your reply.

    I thnk maybe my terminology was confusing.Partly because I don't know the right words to describe what I"m tying to achieve. Let me try again.

    Port A is my internal LAN. It uses standard MASQ and has a subnet of 192.168.25.1/24. Any traffic destined for the Internet on any device attached to Port A will go via the Sophos XG as the gateway and out to the Internet. So a typical device on port A will have the IP address of say 192.168.25.100/24 and the gateway of 192.168.25.1. The Sophos NATs the traffic out to the Internet and everyone is happy. This is a standard setup.

    However, Port C should not be part of the LAN. There is only a single device attached to port C - another router (that belongs to the tenant). That device should have the public address 125.10.10.2 (which is the other available addrss on our 125.10.10.1/30 range). So any traffic destined for that IP address (125.10.10.2) will come in on the Sophos' WAN port (port B) and straight out to the device plugged into port B. That device (tenant's router) can then do it's own natting to its own LAN. They can port forward, set firewall rule son their router etc - as if they were directly connected to the Internet (which they basically are - because the XG is not Natting theit traffic).

    I hope that is clearer - sorry for the confusion. I know this is possible on the SG as I have done it a number of times. I'm also sure it is fairly common. Especially these days when you can get a fiber connection with a /27 and have a few IPs to play with.

    Thanks again for any insight you can provide.

  • Hi,

    my answer still does not change. I would suggest you go for a bridge with your tennant network only with your existing IP range.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data