Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 95 views
  • Users 0 members are here
Options
Suggested

snat multiple gateways

midnightSun

SNAT with multiple WAN gateways isn't working..

WAN Gateway 1 = Port3 - its public with /27 worth of aliases

WAN Gateway 2 = Port5 - its public with /28 worth of aliases 

(IP Host) SNAT with Port3 aliases work for all of the rules I've created.

(IP Host) SNAT rules for Port5 don't work at all. They use the main Port3 address no matter what I do.

Anyone know how to fix this? I'm not doing any thing exotic. Not using SD-Wan or failover...Just simple rules for in and simple rules for out.



Added TAGs
[edited by: Raphael Alganes at 9:57 AM (GMT -7) on 16 Oct 2024]
Parents Reply Children
  • 0 in reply to Mayur Makvana

    Working SNAT Out

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2024-10-16 02:56:24

    Working Firewall rule Out 

      LAN, g68 
    WAN, Any host
    DNS, NTP, PING, 71..

    So I have 12 rules like the above all working using port3 aliases.

    As a simple test ... If I take the above working rule and change it to Source: Port5:6 the traffic fails.

    I've also tried 

    Source: Data g68
    Service: Any service
    Destination: Any host
    Source: R199_4 -Port3:6
    Service: Original
    Destination: Original
    Inbound: Port1
    Outbound: Port5
    Last used: 2024-10-16 02:56:24

    Even tried Masq with "Override source translation (SNAT) for specific outbound interfaces" 

     

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    Hello,

    Your SNAT rule should be as below:

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Mayur Makvana

    Why? I need controlled outbound connections via each interface alias. 

    Original source - Translated source (SNAT)

    The above pic looks like all connections can access all external connections .I don't see any separation. 

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    Hello,

    You need to review the settings of "Override source translation (SNAT) for specific outbound interfaces" in snapshot shared. You might wants to open support ticket to understand or differentiate it. Do share us the ticket number for tracking purpose.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML