Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1804 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enable Routing for public IP on the Lan Interface

Luke Haase

Hello everybody!

Right now I have the situation where I want to have multiple public Servers behind a sophos virtual firewall.

For the Sophos i have a seperate public IP. I have a public IP Subnet for the servers that is routed via the public IP of the Sophos firewall.

I've directly assigned a public IP from the subnet to the Server on the Lan interface where the Subnet is configured. I tried to configure the routing so that I can access the Internet but I'm not sure how exactly i should configure it.

Does anyone have advice on how to solve this issue or should i take a different approach?

Thanks in advance!



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Erick Jan

    Hello Erick,

    I've now created a Firewall Rule and a NAT for the public IP to an internal IP. I've assigned the public IP to an alias on the wan Interface.

    Using the tcpdump i can see that the traffic arrives at the server with the internal IP and gets sent back. I can see in the tcpdump on the Firewall that the traffic from the internal IP to the Internet gets translated and the source changes to the public ip. Unfortunately no packet arrives on the client. I can also see on the NAT rule overview that the Reflexive NAT Rule doesn't report any usage.

    Let me know if you have an idea.

Children
  • 0 in reply to Luke Haase

    When using the DNAT wizard you will also get the option to create a reflexive NAT rule to have the server use the specified IP when accessing the internet. Tick that option and make sure this NAT rule comes before your general SNAT rule for all other clients.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to Luke Haase

    Do you want to use the server IPs form clients behind the firewall? And these are in a different zone / at a different interface?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to apijnappels

    I already did that and for some reason it doesn't work...

  • 0 in reply to PhilippRusch

    My original approach to this was to use NAT. But after that didn't work i switched to routing which still doesn't work aswell.

    On my second approach I gave the Servers behind the firewall an IP from our public IP Subnet. Then I switched to routing which unfortunately didn't work aswell.

    I may have a solution but I will have to try it first. I will keep you updated!

Unfiltered HTML