Question on Destination NAT and Firewall Rule

Hi Deepak,

I noticed the same thing and posted the results of my testing here

Basically, if you put in the FW rule, the "public IP" as destination host, it will match, even if the rule is wan-lan or wan-dmz.

Why though? No idea.

Hi,

I think this is a traffic or Rule flow issue, and Sophos must fix it. I am assuming that it will failover for security testing. Today I will perform some typical type of testing with a security tool and will update you.

Thanks Antonio for your test.

I tried to follow the online documentation and I am even thinking on "how to create a DNAT on a WAN IP alias to an internal server?"

In my case I am trying to DNAT WAN IP alias 192.168.1.200 to internal server 192.168.0.8 by using external port 4455 that translates into 22 port.

So I started from NAT rule, because this is the "philosophy" now.

This is what I have done

I followed the documentation. Maybe I am wrong but it is not very clear. First of all, as you can see, in original service, I was not able to put 4455 but XG does not allow me to put a service that is different from translated service. They must match! I guess is a bug.

Then I created the NAT as shown and...How can I link the created NAT to a Firewall rule?

I will open a new thread on tranlated service and original service "bug"

Thanks Antonio for your input!

Thanks Antonio for your test.

I tried to follow the online documentation and I am even thinking on "how to create a DNAT on a WAN IP alias to an internal server?"

In my case I am trying to DNAT WAN IP alias 192.168.1.200 to internal server 192.168.0.8 by using external port 4455 that translates into 22 port.

So I started from NAT rule, because this is the "philosophy" now.

This is what I have done

I followed the documentation. Maybe I am wrong but it is not very clear. First of all, as you can see, in original service, I was not able to put 4455 but XG does not allow me to put a service that is different from translated service. They must match! I guess is a bug.

Then I created the NAT as shown and...How can I link the created NAT to a Firewall rule?

I will open a new thread on tranlated service and original service "bug"

Thanks Antonio for your input!

Hi,

Update: It is not allowing if I will select as SSH services. 

===============================

I tested the same as you are looking and it is working:

Could you check, if you any other DNAT rule with same Port number?

Thanks for your reply.

Telnet works but not SSH. Also, I do not have created yet the firewall rule for that. No other Firewall rule for that IP or service port

Hi,

A firewall rule is required with service selection of "Pre-Translate". 

Sorry deepakkhw I do not understand your point.

Hi,

Try a Firewall rule as 

"Link NAT" is only for Source NAT. It is not for the Destination NAT.

Ok, done it. And now?

DNAT is not linked

Hi,

As I said the DNAT NAT rule is not for Linking to any firewall rule. You can Link only SNAT rule to a firewall rule.

This is just confusing me!

http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallNATRules.html#pkw_b31_v3b__uxd_myl_n3b

You can Link NAT rule only Source rule means from LAN to WAN NAT rules can link to a Firewall rule. You can not Link a NAT rule from WAN to LAN.

deepakkhw said:

You can Link a NAT rule from WAN to LAN.

Still unclear.

In the NAT, I changed original destination from WAN alias to Port2 (maybe using alias is not possible). Same thing. Traffic is denied.

Also NAT counter connection is 0 and Firewall rule counter is 0