Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 41 subscribers
  • Views 8134 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can the traffic from the Firewall itself be Natted by a Nat policy?

Matthewpease

I had a quick play with the home edition in a VM and I see that you can configure Nat policies.  (Couldn't do much with it as it isn't in the traffic path at the moment)


But the question I need to know is it possible to use a NAT policy to change the source IP of traffic originating from the firewall itself?

The reason I ask is because I'm thinking of buying a hardware appliance but I want to connect it to a network where the main IP on the Wan interface is actually just an RFC1918 address and as such cannot reach the internet.

that ip exists purely to facilitate communication with the upstream router so a /29 of public IPv4 space can be routed to it, So I'd need to add the /29 as an alias and then Nat to that IP instead of the main IP.


Obvisouly it should be able to do it for the devices behind the firewall, but it would need to do it for traffic the firewall/utm itself is sending as well (I.e when it calls into the cloud, when it's establshing vpn's .etc)



This thread was automatically locked due to age.
  • 0
    I haven't tried this, so theory only. Setup the modem in bridge mode, and create multiple addresses on the external interface, then you would need SNAT/DNAT rules but in theory are created automatically when you setup your VPNs.

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

  • 0

    No Modem ;-)

    It's actually a co-location facility, normally they'd fully route for most clients but since the router I have at the moment can do it I asked them to instead create a link-net (/30) and then hand the entire /29 over to me so I could then use all 8 IP address (Since the IP's are routed to me as the next hop I can treat them as 8x /32's and thus use them all if I wish.)

    The linknet is in RFC1918 space and not Natted their end, It exists purely to Link my router to theirs.

    I suppose in theory the RFC1918 /30 address may not even need to be the main address on the sophos box, it just needs to exist on the WAN side interface because that's where the Upstream routers going to try to send any data for any of the /29 public IP's

    Essentially the router at the moment (Mikrotik RB450G) works but it's starting to struggle, perticullarly when it comes to the site2site VPN I have in place place to home (It Have about 75/20 VDSL at home).

    I was going to upgrade the router with a newer model, but actually if the pricing I'm seeing on an XG85 is correct then providing it can work in this situation I'm rather tempted to grab one of those instead since it can handle more VPN throughput than the Routerboard and you get the UTM stuff added ontop.

    Edit:

    Actually I think I can probably test this using a VM, shouldn't take to much effort to replicate the setup.

Unfiltered HTML