NAT-ting Query

Haigh John,

Please show a simple diagram with IPs so we can see what things where need to reach what things where.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

Cheers - Bob

Hi Bob,

Good to hear from you.

Below is a diagram which shows (hopefully) what we're trying to achieve:

We have been told by our supplier that VoIP traffic from both 'Hard' and 'Soft' phones has to traverse the proxy (Sophos UTM) without undergoing NAT to reach the Call Managers (10.64.X.10 or 10.64.X.20). The 'Hard' phones I can understand as they are on a VLAN of their own and a simple 'No NAT' rule on the UTM should suffice. The DMZ firewall is already set up to route the traffic to the relevant Call Manager without further NAT-ting.

The 'Soft' phones are different though. They will be using the IP Address of the parent PC (I'm led to believe). Normally Internet-bound traffic from the PC would be NAT-ted at the UTM using Masquerading.

I suppose I could create a 'No NAT' rule based on Source (10.X.15.0/24) using relevant Services (yet to be confirmed by vendor) Going To the Call Managers specifically (10.64.X.10 or 10.64.X.20) but I'm wondering if this will interfere with ordinary Internet bound traffic from the 10.X.15.0/24 sub-net. I still want it to be NAT-ted on its way through the UTM. Will Masquerading still work or will I have to create a specific SNAT rule for Internet traffic and do away with Masquerading altogether?

Hope this makes some sort of sense.

Thanks and best regards,

John P

Thanks for the beautiful diagram, John!

Your No-NAT rule will only affect traffic to the Call Managers and everything else will continue to function as it has in the past.  The VoIP vender firewalls will need to know to route traffic for 10.X.15.0/24 to 172.X.0.1 according to your diagram.  Your DMZ firewall will need to know to route traffic to the respective call managers via 172.X.0.2 and 172.X.0.3.

Let us know how it goes.

Cheers - Bob

Many thanks for your reply Bob, has proven most helpful.

As for the drawing, well, just a quick sketch done in freehand!!!

Good to know that Masquerading will still kick in when the PC host is surfing the net.

Best regards and thanks again,

John P.

PS - In my haste to get something thrown together I mistakenly referred to the 10.64.X.X devices as Call Managers. They are, in fact Border Gateways. Anyhoo, no harm done. Onto the next stage, will keep you posted of any developments.

JP

isoffice said:

As for the drawing, well, just a quick sketch done in freehand!!!

Fabulous diagram; my quick freehand sketches look more like the  resultant output after a spider had been accidentally pulled into a fax machine. Thank you both for a great (and for me, educational) thread to read and carefully ponder.

Kind regards (and my sincere apologies for chipping in without having anything useful to say).

Briain

Hi Bob and Briain,

Preliminary testing has shown that as long as I am specific about Source, Services and Destination, a 'No NAT' rule to allow 'Soft' phones on the 10.X.15.0/24 subnet to access the Border Gateways (10.64.X.10 & 10.64.X.20) will work fine. The DMZ firewall logs the source IP Address as that of the parent PC on which the 'soft' phone is installed and routes it accordingly.

All other Internet-bound traffic from the parent PC is NAT-ted as per my current Masquerading rule and logged by the DMZ firewall as originating from the IP Address of the external interface of the Sophos UTM.

All in all, I'm a very happy camper!! [:D]

Best regards and thank you for your input.

John P

Hi all,

Just a little addendum which may (or may not) help someone in the future.

I've had to create several 'No NAT' rules during this project and to make the process go a little quicker I selected the create 'Automatic Firewall Rule' option. As is often the way these 'No NAT' rules were subject to change which caused me to re-arrange them numerically at times. This had no effect whatsoever on the rule number of the related automatically created firewall rule. However, if you're like me, and prefer to see NAT rules and firewall rules aligned numerically this may prove a little disconcerting. Of course I'm working on the assumption that NAT rules are processed in number order, much like firewall rules. If I'm mistaken in this belief, please let me know.

I was further confused by an article on the Sophos Knowledgebase (https://support.sophos.com/support/s/article/KB-000034782?language=en_US&c__displayLanguage=en_US) which stated that Automatic Firewall Rules do "not have a position number" and are "tagged with auto". I can assure you that, in my experience, automatically created firewall rules (created whilst configuring NAT rules anyway) DO have a position number.

My workaround was to simply get my NAT rules in the correct numerical order, edit each one in turn and de-select the 'Automatic Firewall Rule' option. This subsequently cleared the automatically created rules from my firewall altogether. I then again edited each NAT rule in numerical order and re-selected the 'Automatic Firewall Rule' option and hey presto!! The automatically created rules re-appeared back in the firewall in the order I wished them to be in the first place.

I know that I should have planned this better and sorted out my NAT rules prior to implementing them, but in real-world scenarios where contractors are on-site requesting fine-tuning and configuration changes to be made on-the-fly, it's very hard to think of everything beforehand.

All of this is just to get things connected up, we'll be moving to QoS soon (the joys!!). So, expect to hear from me again, begging for assistance [:D].

Best regards,

John P

Hi John,

"I'm working on the assumption that NAT rules are processed in number order."

Bingo!  If you see an ordered list, the items are processed only so far as a packet qualifies for one and no further items in the list are considered.  So, even if the automatic firewall rules are processed in numeric order, the traffic will still be allowed by the appropriate rule even if the rules aren't in the same order as the NATs.  But hey, I'm a little OCD about such things myself! ;-)

Cheers - Bob