Question on Destination NAT and Firewall Rule

Hi,

We are testing V18 in my LAB and I am confused with Firewall rule and Destination NAT policy. My configuration as like:

In the Firewall Rule, Why I need Destination HOST as "ANY". If I will choose a host IP in destination Host as my SSH server then this rule is not working. Is it a bug or some specific reason for the required "ANY" in the Destination HOST field?

Parents
  • Hi Deepak,

    I noticed the same thing and posted the results of my testing here

    Basically, if you put in the FW rule, the "public IP" as destination host, it will match, even if the rule is wan-lan or wan-dmz.

    Why though? No idea.

  • Hi,

    I think this is a traffic or Rule flow issue, and Sophos must fix it. I am assuming that it will failover for security testing. Today I will perform some typical type of testing with a security tool and will update you.

    Thanks,

    Deepak Kumar

    Sophos XG & Central Architect 

  • Thanks Antonio for your test.

    I tried to follow the online documentation and I am even thinking on "how to create a DNAT on a WAN IP alias to an internal server?"

    In my case I am trying to DNAT WAN IP alias 192.168.1.200 to internal server 192.168.0.8 by using external port 4455 that translates into 22 port.

    So I started from NAT rule, because this is the "philosophy" now.

    This is what I have done

    I followed the documentation. Maybe I am wrong but it is not very clear. First of all, as you can see, in original service, I was not able to put 4455 but XG does not allow me to put a service that is different from translated service. They must match! I guess is a bug.

    Then I created the NAT as shown and...How can I link the created NAT to a Firewall rule?

    I will open a new thread on tranlated service and original service "bug"

    Thanks Antonio for your input!

Reply
  • Thanks Antonio for your test.

    I tried to follow the online documentation and I am even thinking on "how to create a DNAT on a WAN IP alias to an internal server?"

    In my case I am trying to DNAT WAN IP alias 192.168.1.200 to internal server 192.168.0.8 by using external port 4455 that translates into 22 port.

    So I started from NAT rule, because this is the "philosophy" now.

    This is what I have done

    I followed the documentation. Maybe I am wrong but it is not very clear. First of all, as you can see, in original service, I was not able to put 4455 but XG does not allow me to put a service that is different from translated service. They must match! I guess is a bug.

    Then I created the NAT as shown and...How can I link the created NAT to a Firewall rule?

    I will open a new thread on tranlated service and original service "bug"

    Thanks Antonio for your input!

Children