Sophos Smarthost - Outgoing Interface + NAT

Hello Sophos User2126,

Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings. If that is a case you can create a DNAT for that on premise server: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html

Hi, 
this also works to run Sophos itself (the MTA service) over the NAT?

It should with source as "ANY" 

Unfortunately does not work. The problem may also be that this NAT should be on an interface IP of the Sophos that is on LAN1, but the route would go via LAN4.

There is still a CLI command that is needed for NAT in conjunction with IPSec. Could there still be a possibility here?

Do you want me to draw it?

Yea topology will be better to narrow down. Do you have Aliases on LAN1 ? if not have you created any ?

Yes, there is an alias configured.

Thats the situation, the Exchange sends the Mails to the Sophos, and than the Sophos should send it to the smarthost, out on P4.
BUT the Mail-Service inside the Sophos must use an source IP-Address of the LAN (actual it uses the configured alias) to communicate with the Smarthost, because the transfer-network is local-only and not routed by the provider.
Incoming mails from the smart host are working as expected.

Hello Sophos User2126,

In this scenario instead of MASQ with the interface in the NAT rule under "Translated source (SNAT)"  leave that original and select the outbound interface and mark it with that particular desired interface.

Tried this and also this: https://support.sophos.com/support/s/article/KB-000035607?language=en_US

But both don't seem to work. I'll capture some traffic to see whats going on

Sure tcpdump, packetcapture can help understand !!