im thinking about buying a Sophos UTM9 Appliance and i wanted to know which method of nat it is using (Full-Cone, Symmetric, Restricted-Cone or Port-Restricted Cone).
Sadly I didnt find any information on this topic.
Can someone tell me which method is being used?
Hallo Der Borris,
eine neue NAT Regel definiert man wie folgt:
Weiterhin erhält man diese Infos dazu:
Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT) are both special cases of NAT. With SNAT, the IP address of the computer which initiated the connection is rewritten, while with its counterpart DNAT, the destination addresses of data packets are rewritten. DNAT is especially useful when your internal network uses private IP addresses, but you want to make some services available to the outside.
This is best demonstrated with an example. Suppose your internal network uses the address space 192.168.0.0/255.255.255.0 and a webserver running at IP address 192.168.0.20 port 80 should be available to Internet-based clients. Because the 192.168. address space is private, the Internet-based clients cannot send packets directly to the webserver. It is, however, possible for them to communicate with the external (public) address of Sophos UTM. DNAT can, in this case, take packets addressed to port 80 of the system’s address and forward them to the internal webserver.
Note – PPTP VPN Access is incompatible with DNAT.
In contrast to masquerading, which always maps to the primary network interface address, SNAT maps the source address to the address specified in the SNAT rule.
1:1 NAT is a special case of DNAT or SNAT. In this case all addresses of an entire network are being translated one-to-one into the addresses of another network having the same netmask. So the first address of the original network will be translated into the first address of the other network, the second into the second and so on. A 1:1 NAT rule can be applied to either the source or the destination address.
Note – By default, port 443 (HTTPS) is used for the User Portal. If you plan to forward port 443 to an internal server, you need to change the TCP port of the User Portal to another value (e.g., 1443) on the Management > User Portal > Advanced tab.
Because DNAT is done before firewalling, you must ensure that appropriate firewall rules are defined. For more information, see Network Protection > Firewall > Rules.
To define a NAT rule, proceed as follows:
On the NAT tab, click New NAT Rule.
The Add NAT Rule dialog box opens.
Make the following settings:
Group: The Group option is useful to group rules logically. With the drop-down list on top of the list you can filter the rules by their group. Grouping is only used for display purposes, it does not affect rule matching. To create a new group select the << New group >> entry and enter a descriptive name in the Name field.
Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.
Rule type: Select the network address translation mode. Depending on your selection, various options will be displayed. The following modes are available:
Note – You have to add the SNAT rules before you activate the Web Filter. Sophos UTM priorities Web Filter settings higher than SNAT rules. If you select a SNAT rule while the Web Filter is activated the rule may not work. You can activate or deactivate the Web Filter on the Web Protection > Web Filtering > Global page.
Matching Condition: Add or select the source and destination network/host and the service for which you want to translate addresses. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Using service: The original service type of the packets (consisting of source and destination ports as well as a protocol type).
Note – A traffic service can only be translated when the corresponding addresses are translated as well. In addition, a service can only be translated to another service when the two services use the same protocol.
Action: Add or select the source and/or destination and/or the service type into which you want to translate the original IP packet data. The displayed parameters depend on the selected Rule type. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
1:1 NAT mode (only with 1:1 NAT rule type): Select one of the following modes:
Note – You need to add an entire network into the field For traffic from when you want to map the source, or into the field Going to when you want to map the destination.
Automatic firewall rule (optional): Select this option to automatically generate firewall rules to allow the corresponding traffic passing through the firewall.
Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:
Rule applies to IPsec packets (only with SNAT or Full NAT mode): Select this option if you want to apply the rule to traffic which is going to be processed by IPsec. By default this option is not selected, thus IPsec traffic is excluded from source network address translation.
Log initial packets (optional): Select this option if you want to write the initializing packet of a communication to the firewall log. Whenever the NAT rule is used, you will then find a message in the firewall log saying "Connection using NAT". This option works for stateful as well as stateless protocols.
The new rule appears on the NAT list.
Enable the NAT rule.
To either edit or delete a rule, click the corresponding buttons.
Mit freundlichem Gruß, Regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
... Und dann gibt es ja noch "Masquerading"
Masquerading is a special case of Source Network Address Translation (SNAT) and allows you to masquerade an internal network (typically, your LAN with private address space) behind a single, official IP address on a network interface (typically, your external interface connected to the Internet). SNAT is more generic as it allows to map multiple source addresses to several destination addresses.
Note – The source address is only translated if the packet leaves the gateway system via the specified interface. Note further that the new source address is always the current IP address of that interface (meaning that this address can be dynamic).
To create a masquerading rule, proceed as follows:
On the Masquerading tab, click New Masquerading Rule.
The Add Masquerading Rule dialog box opens.
Network: Select the (internal) network you want to masquerade.
Interface: Select the (external) interface that is connected to the Internet.
Use address: If the interface you selected has more than one IP address assigned (see Interfaces & Routing > Interfaces > Additional Addresses), you can define here which IP address is to be used for masquerading.
The new masquerading rule appears on the Masquerading rule list.
Enable the masquerading rule.
Click the toggle switch to activate the masquerading rule.
Note – You need to allow traffic from the internal network to the Internet in the firewall if you want your clients to access external servers.
IPsec packets are never affected by masquerading rules. To translate the source address of IPsec packets create an SNAT or Full NAT rule.
Hallo Herr Rusch,
danke für Ihre Antworten.
Es ging mir an sich nicht darum wie ich die NAT-Regeln erstelle.
Das Problem ist, dass ich mehrere Anwendungen benutze die mit Symmetrischem-NAT beziehungsweise Endpoint-Dependent Mapping nicht funktionieren. Deshalb wollte ich fragen ob die Sophos diese NAT-Methode verwendet nachdem ich online hierzu nichts gefunden habe.
das war die schnellste Methode zu zeigen, welche Optionen es bei der Erstellung von NAT-Regeln bei der UTM gibt.
Das Herumwerfen mit Begriffen bringt hier nichts, jeder Hersteller versteht darunter etwas anderes. Beispiel Cisco oder HP.
Aber da die UTM einen Linux-Kernel verwendet, verstehe ich das Problem nicht.
Herzlich willkommen hier in der Community !
(Sorry, my German-speaking brain isn't creating thoughts at the moment. )
Sophos has excellent pre-sales engineers. I would urge you to call Sophos Sales in Deutschland and ask that question. Please share here what you learn.
MfG - Bob (Bitte auf Deutsch weiterhin.)