Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1804 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enable Routing for public IP on the Lan Interface

Luke Haase

Hello everybody!

Right now I have the situation where I want to have multiple public Servers behind a sophos virtual firewall.

For the Sophos i have a seperate public IP. I have a public IP Subnet for the servers that is routed via the public IP of the Sophos firewall.

I've directly assigned a public IP from the subnet to the Server on the Lan interface where the Subnet is configured. I tried to configure the routing so that I can access the Internet but I'm not sure how exactly i should configure it.

Does anyone have advice on how to solve this issue or should i take a different approach?

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Luke,

    Thank you for reaching out to Sophos Community.

    Have you checked the packet to see if it’s being translated properly or routed?

    You may also try to do a Port-forwarding 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hello Erick,

    Thanks for the reply. I want to have the packets routed to the internal Interface so that i can use the individual public IP address of the servers.

    When I try to ping another server outside of the subnet no packet seems to arrive.

    How should I correctly setup the routing sot that packets get sent?

    Thank you for your help.

  • 0 in reply to Luke Haase

    Hi,

    Have you created a Firewall Rule and a NAT rule to translate the IP?

    You may check the following KB regarding NAT :

    Also, Sophos Assistance might help you configure your NAT.

    Also, do a packet capture/TCPdump to check packets and the log viewer for errors.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hello Erick,

    I've now created a Firewall Rule and a NAT for the public IP to an internal IP. I've assigned the public IP to an alias on the wan Interface.

    Using the tcpdump i can see that the traffic arrives at the server with the internal IP and gets sent back. I can see in the tcpdump on the Firewall that the traffic from the internal IP to the Internet gets translated and the source changes to the public ip. Unfortunately no packet arrives on the client. I can also see on the NAT rule overview that the Reflexive NAT Rule doesn't report any usage.

    Let me know if you have an idea.

  • 0 in reply to Luke Haase

    When using the DNAT wizard you will also get the option to create a reflexive NAT rule to have the server use the specified IP when accessing the internet. Tick that option and make sure this NAT rule comes before your general SNAT rule for all other clients.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to Erick Jan

    Hello,

    I maybe wrong here, but if he says, he has a subnet with public IPs that is officially routed through the public IP he is using for his uplink, then why using NAT?

    This is simply routing and firewall rules for me.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Erick Jan

    Hello,

    I maybe wrong here, but if he says, he has a subnet with public IPs that is officially routed through the public IP he is using for his uplink, then why using NAT?

    This is simply routing and firewall rules for me.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML