Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 2184 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source and destination NAT

Jon M

Using Sophos XG210. 

 

I have a server on a LAN segment using a private IP and I have setup a business rule using DNAT and Natted a public IP on the WAN side to the private IP for RDP access.  This all works fine but the server has no outbound access ie. it cannt access the internet, ping etc. 

 

But the server has no outbound access from the LAN ie. it cannot access the internet, ping anything etc. 

 

How do I give the server unrestricted access outbound and still only allow RDP inbound ie. how do I setup a NAT and rule for outbound access. 

 

So as an example with a Cisco firewall I would simply setup a 1 to 1 NAT eg. 

 

172.16.3.1 -> 195.66.10.1 

 

all outbound traffic would by default be allowed out and would be translated to 195.66.10.1 and then I can add a rule just to allow RDP inbound to 195.66.10.1. 

 

The problem I am having with the Sophos is that you seem to do different rules etc. based on whether it is source or destination NAT and it's not clear exactly how to set this up. 

 

Thanks for any pointers. 



This thread was automatically locked due to age.
  • 0

    Hi  

    You should create a simple User/Network firewall rule as shown in the images below. Please note that you should decide the priority of the rule according to your requirements. (XG follows top to down approach). You can also specify the Primary gateway of your choice and should apply the Advanced configuration of your choice. But the NAT settings are enough to allow your RDP server to connect to the Internet. It won't conflict with the existing DNAT rule you've configured.


    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi Jaydeep 

     

    Many thanks for responding. 

     

    So I leave the DNAT in place ? 

     

    I have just managed to get it working but a different way. So in the DNAT rule I  - 

     

    i) selected "Rewrite source address (masqureading) 

     

    ii) In the drop down "Use outbound address" I selected the rule name ie. DED218-NAT 

     

    iii) selected "Create reflexive rule" 

     

    and now it all works. 

     

    What is the difference between what I have done and what you are suggesting ie. I have done it all in the same DNAT rule although not sure exactly what I have allowed. 

     

    You seem to be suggesting leaving the DNAT as is and then creating a completely separate User/Network rule. 

     

    What are the pros and cons of each ?

  • +1 in reply to Jon M

    The rule I suggested allows you to configure Web Filter and application filter of your choice and also allows you to select a different internet gateway(if you wish so).

    Enabling the Reflexive rule option also works. The Reflexive rule in a Business Application Rule usually pertains to DNAT rules. Most DNAT rules are from the outside into an internal server for example (source: WAN, destination: the protected server in your LAN).

    Being a stateful firewall, it will automatically allow return traffic. The reflexive rule allows traffic to start and be initiated from the destination zone to the source zone (e.g. the protected server out to the Internet). All the same policies from the Business Application rule will apply.

    Hope this clarifies things for you.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi Jaydeep 

     

    Again many thanks for the response, helps clear things up. 

     

    Last questions - 

     

    1)  Your user/network rule would allow all services outbound which is what I actually want.

     

    If I use the reflexive rule in the DNAT rule does that only allow outbound the services I am allowing inbound from the WAN on the same rule ?

     

    2) If I do use a user/network rule for outbound I can presumably still use the same public IP I am using in the DNAT rule ? 

     

    Jon

  • 0 in reply to Jon M

    Hi Jon,

    You're welcome. And answer to your questions:

    1) Yes, it allows all the services when reflexive rule is enabled.

    2) Yes, you can choose the public IP of your choice regardless of the one used in the DNAT rule.

    Regards

    Jaydeep

Unfiltered HTML