Multiple PUBLIC IP leashed line setup for NAT

Hi .
I'm having trouble trying to get one of the Public IP(Alias) to be nat onto voice subnet interface.
Here's the diagram below.
Network Diagram.

Here's what i configure for the Leased IP Line.

For voice LAN interface Subnet i configure as below.

As for rule. I did it as below.

I have trouble reaching via 4000 to 4008.

May i know which settings i did wrong or is there something i left out ?

Added TAGs
[edited by: emmosophos at 7:47 PM (GMT -8) on 25 Feb 2021]
  • Hi ,

    Thank you for reaching out to Sophos Community.

    Assuming you're able to make a successful connection on with 5060:5071 ports.

    To check further with the 4000:4008 port, you may first try to change 'Use Outbound Address' under Masquerading to default MASQ.

    If that doesn't help then try disabling Masquarading once.

    You may check traffic flow in the console by using the below command.

    ==> Login to SSH > 4. Device Console

    console> tcpdump 'port <port number>

    eg: console> tcpdump 'port 4000

    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi ywillie,

    As per configuration screenshot, Use Outbound Address seems to be incorrect as this rule is for allowing traffic from WAN(XG-A1) to PABX so there is no need for NATing it with IP, you can either uncheck "Rewrite source address" of select Rewrite source address as MASQ instead of

    Hardik R

  • Hi. Thx for the reply. connection to with 5060 to 5071 did not worked either even after i did the DNAT rule.
    I've been checking the logs from Log viewer. By using my home internet connection to remotely reach
    I crossed checked my home internet src ip :public ip icmp and tcping towards destination ip: .
    Seems to me all relevant ports from 4000 to 4008 and icmp was actually allowed.
    However this only stops at 
    When i tried to search src ip: . There was nothing.
    There's actually a TPLINK router TL-R600VPN router with ip after interface A5 .
    I do suspect that the router do not have a static route on it. It does not know where's the exit interface.

  • My home internet using dynamic ip. It's currently recorded as
    As i did the test. SRC IP: to actually passes the traffic.

    When i reverse the results with only 
    SRC IP: .
    It returned no results.
    I tried
    SRC IP: which is the pabx IP.
    It returned no results either.

    However when i tried SRC IP:
    It returned something.

    Seems to me that the router is the culprit.
    It's a TPLINK R600 router.

    The TPLINK router was used as a SIP dial up device. It has 1 WAN port connected to the SIP Service provider's modem.
    While the entire LAN network were setup as on the TPLINK R600 Router.

    I figured that if request the vendor to configure the entire network to be on the TPLINK R600 router,
    It'll actually allow traffic across the firewall towards by creating a DNAT Rule.
    However that's not the case.
    This is an actual view on the PABX and it's related devices.

    There's a static routing missing at the TPLINK Router R600 side.
    Could i get a help on static routing part ?
    Should i route only accross to ?
    I had another concern would be by doing such a static route, it might even change the path of the MLS causing the SIP traffic to not work properly..

  • I've found the issue. The problem indeed came from the tplink router itself.
    Today i remove the router and plug a laptop straight to the lan port of the firewall under interface A5.
    I even configured the laptop static with an ip matching the Pabx system's ip.
    I downloaded port listener on the laptop and have it listen on port 4001 and other ports each time to test the connection.
    Everything went through from externally without issue.
    The public ip had actually successfully nat to the internal ip .
    The only problem is the tplink router isn't returning the packets back . It's dropping the packets at some point.