This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem snat between directly connected interfaces

Hello community,

We have recently transitioned from the SG 230 UTM to the XGS 2300, and we've recreated all our firewall rules from the UTM for the new XGS device.

All NAT rules were also recreated.

While DNAT rules are functioning perfectly, we are encountering issues with SNAT and MASQ rules. The counter for the SNAT rules consistently shows zero.

Although traffic from "LAN" to "WAN" is working, we are not seeing any SNAT rules being utilized in the traffic log. Despite having a rule in place and the correct WAN IP from one WAN interface appearing in the "Src NAT IP" column of the traffic log, the SNAT rules do not seem to be effective.

Additionally, we became confused as we saw that connections between directly connected interfaces on the firewall were being source NATted, not just routed.

We didn't configure that at all.

Does anyone have an idea what could be the problem ?

Did anyone have the problem before?

SFOS 20.0.0 GA-Build222

This thread was automatically locked due to age.

Top Replies

LuCar Toni 5 months ago +1 verified

Could you check your License Screen? Do you have a valid Base Firewall?

0 Denis Salenko 5 months ago

We habe the same issue on one firewall.
Cancel
Vote Up 0 Vote Down

Cancel
+1 LuCar Toni 5 months ago

Could you check your License Screen? Do you have a valid Base Firewall?

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 Denis Salenko 5 months ago in reply to LuCar Toni

Ni, our base licence is not valid. It will start in april. The license was issued with an incorrect date. According to our key account manager, this should not be a problem. Everything works so far, except for SNAT and default maqr rule.

Base Firewall

Stateful Firewall, VPN, Wireless

Not subscribed Dec 31, 2999
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte 5 months ago in reply to Denis Salenko

But ther eis a problem without base-license.

i run into ths problem some weeks ago.

Looks like all is working great ... but some basic features (like SNAT) didn't work.

Also WiFi may be a problem. Starts working, after adding 1.2.3.4/32 as alias to some interface.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Denis Salenko 5 months ago in reply to dirkkotte

Danke Dirk, ich habe bereits Sophos diesbezüglich kontaktiert. Ich hoffe auf eine Lösung seitens Sophos.
Cancel
Vote Up 0 Vote Down

Cancel
+1 emmosophos 5 months ago in reply to Denis Salenko

Hello there,

If your base license is not valid, then SNAT will not work.

Take a look at this RR.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Cancel
0 Denis Salenko 5 months ago in reply to emmosophos

Thanks @all

Base licence was the problem. Sophos resolve it.

Regards
Cancel
Vote Up +1 Vote Down

Cancel
0 Erick Jan 5 months ago in reply to Denis Salenko

Hi Denis,

Thank you for sharing the update.

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel