Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 13140 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT (destination) in XG LAN>WAN

JoacimBrandell

Within Sophos UTM 9 i previously had a DNAT rule that rewrote the destination adress. Basically it changed the original destination adress to a different destination adress for all outbound traffic coming from a specific internal network adapter.
In UTM the rule was similar to this:

Matching condition
For traffic from: Internal Network adapter X.
Using Service: Any
Going to: 8.8.8.8

Action:
Change the destination to: 9.9.9.9
And the service to: Any

How would one be able to replicate this in XG?
I have managed to create inbound NAT using Business Application Rule following your documentation, but I have not been able to get any closer with the question above.



This thread was automatically locked due to age.
Parents
  • 0
    Based on the given example, try creating a Business Application Policy as shown below to accomplish any workstation trying to reach destination 8.8.8.8 from zone LAN should be mapped to 9.9.9.9 on zone WAN:

    SOURCE:
    Host: #PortA

    HOSTED SERVER:
    Source Zone: LAN
    Hosted Address: 8.8.8.8

    PROTECTED APPLICATION SERVER(s):
    Protected Zone: WAN
    Protected Application Server: 9.9.9.9
    Forward All Ports: ON

    Save.

    To verify if this is working as expected, please log in to console, Option 4 and run the enter the following command:

    Main Menu

    1. Network Configuration
    2. System Configuration
    3. Route Configuration
    4. Device Console
    5. Device Management
    6. VPN Management
    7. Shutdown/Reboot Device
    0. Exit

    console> tcpdump 'proto ICMP
    tcpdump: Starting Packet Dump
    05:45:45.577492 PortA, IN: IP 172.16.16.17 > 8.8.8.8: ICMP echo request, id 1, seq 11, length 40
    05:45:45.577743 PortB, OUT: IP 172.16.16.17 > 9.9.9.9: ICMP echo request, id 1, seq 11, length 40

    Look for source and destination ports, Port A is LAN, Port B is WAN in this example, confirm destination NAT by looking at the destination IP. Here, packet hitting the firewall in> PortA with destination as 8.8.8.8 is NATted(out>PortB) to 9.9.9.9.

    Hope that helps.
  • 0 in reply to AmitSharma

    Hiya, because it's going to an external address, remember to turn on Masquerading so the WAN packets know where to come back to! You only need to use the standard Masq policy.

    This is in conjuction to Amit's answer :)

    FYI, you can actually do a packet capture from System > Diagnostics > Packet Capture. Change the display filter to ICMP, turn the capture on and run the test, you will see something like this:

    It will also show the reply packets as well and can be a little easier (although not as informative) to read than Tcpdump.

    This tool is getting worked upon but I'm sad and dump this out via filedump and read it in wireshark.

Reply
  • 0 in reply to AmitSharma

    Hiya, because it's going to an external address, remember to turn on Masquerading so the WAN packets know where to come back to! You only need to use the standard Masq policy.

    This is in conjuction to Amit's answer :)

    FYI, you can actually do a packet capture from System > Diagnostics > Packet Capture. Change the display filter to ICMP, turn the capture on and run the test, you will see something like this:

    It will also show the reply packets as well and can be a little easier (although not as informative) to read than Tcpdump.

    This tool is getting worked upon but I'm sad and dump this out via filedump and read it in wireshark.

Children
No Data
Unfiltered HTML