Sophos UTM9 NAT Method

Hi everyone,

im thinking about buying a Sophos UTM9 Appliance and i wanted to know which method of nat it is using (Full-Cone, Symmetric, Restricted-Cone or Port-Restricted Cone).

Sadly I didnt find any information on this topic.

Can someone tell me which method is being used?

  • Hallo Der Borris,

    eine neue NAT Regel definiert man wie folgt:

    Weiterhin erhält man diese Infos dazu:

    NAT

    Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT) are both special cases of NAT. With SNAT, the IP address of the computer which initiated the connection is rewritten, while with its counterpart DNAT, the destination addresses of data packets are rewritten. DNAT is especially useful when your internal network uses private IP addresses, but you want to make some services available to the outside.

    This is best demonstrated with an example. Suppose your internal network uses the address space 192.168.0.0/255.255.255.0 and a webserver running at IP address 192.168.0.20 port 80 should be available to Internet-based clients. Because the 192.168. address space is private, the Internet-based clients cannot send packets directly to the webserver. It is, however, possible for them to communicate with the external (public) address of Sophos UTM. DNAT can, in this case, take packets addressed to port 80 of the system’s address and forward them to the internal webserver.

    Note – PPTP VPN Access is incompatible with DNAT.

    In contrast to masquerading, which always maps to the primary network interface address, SNAT maps the source address to the address specified in the SNAT rule.

    1:1 NAT is a special case of DNAT or SNAT. In this case all addresses of an entire network are being translated one-to-one into the addresses of another network having the same netmask. So the first address of the original network will be translated into the first address of the other network, the second into the second and so on. A 1:1 NAT rule can be applied to either the source or the destination address.

    Note – By default, port 443 (HTTPS) is used for the User Portal. If you plan to forward port 443 to an internal server, you need to change the TCP port of the User Portal to another value (e.g., 1443) on the Management > User Portal > Advanced tab.

    Because DNAT is done before firewalling, you must ensure that appropriate firewall rules are defined. For more information, see Network Protection > Firewall > Rules.

    To define a NAT rule, proceed as follows:

    1. On the NAT tab, click New NAT Rule.

      The Add NAT Rule dialog box opens.

    2. Make the following settings:

      Group: The Group option is useful to group rules logically. With the drop-down list on top of the list you can filter the rules by their group. Grouping is only used for display purposes, it does not affect rule matching. To create a new group select the << New group >> entry and enter a descriptive name in the Name field.

      Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

      Rule type: Select the network address translation mode. Depending on your selection, various options will be displayed. The following modes are available:

        • SNAT (source): Maps the source address of defined IP packets to one new source address. The service can be changed, too.

      Note – You have to add the SNAT rules before you activate the Web Filter. Sophos UTM priorities Web Filter settings higher than SNAT rules. If you select a SNAT rule while the Web Filter is activated the rule may not work. You can activate or deactivate the Web Filter on the Web Protection > Web Filtering > Global page.

      • DNAT (destination): Maps the destination address of defined IP packets to one new destination address. The service can be changed, too.
      • 1:1 NAT (whole networks): Maps IP addresses of a network to another network one-to-one. The rule applies either for the source or for the destination address of the defined IP packets.
      • Full NAT (source + destination): Maps both the source address and the destination address of defined IP packets to one new source and one new destination address. The source service and the target service can be changed, too.
      • No NAT: This option can be regarded as a kind of exception rule. For example, if you have a NAT rule for a defined network you can create a No NAT rule for certain hosts inside this network. Those hosts will then be exempted from NAT.

      Matching Condition: Add or select the source and destination network/host and the service for which you want to translate addresses. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

      • For traffic from: The original source address of the packets. This can be either a single host or an entire network, or, except for the 1:1 NAT rule type, a network range.
      • Using service: The original service type of the packets (consisting of source and destination ports as well as a protocol type).

        Note – A traffic service can only be translated when the corresponding addresses are translated as well. In addition, a service can only be translated to another service when the two services use the same protocol.

      • Going to: The original destination address of the packets. This can be either a single host or an entire network. With SNAT and No NAT, it can also be a network range.

      Action: Add or select the source and/or destination and/or the service type into which you want to translate the original IP packet data. The displayed parameters depend on the selected Rule type. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

      • Change the source to (only with SNAT or Full NAT mode): Select the source host, that is, the new source address of the packets.
      • Change the destination to (only with DNAT or Full NAT mode): Select the destination host, that is, the new destination address of the packets.
      • And the service to (only with DNAT, SNAT or Full NAT mode): Select the new service of the packets. Depending on the selected Rule type this can be the source and/or destination service.
      • 1:1 NAT mode (only with 1:1 NAT rule type): Select one of the following modes:

        • Map destination: Changes the destination address.
        • Map source: Changes the source address.

        Note – You need to add an entire network into the field For traffic from when you want to map the source, or into the field Going to when you want to map the destination.

      • Map to (only with 1:1 NAT mode): Select the network you want to translate the original IP addresses into. Please note that the original network and the translated network must have the same netmask.

      Automatic firewall rule (optional): Select this option to automatically generate firewall rules to allow the corresponding traffic passing through the firewall.

      Comment (optional): Add a description or other information.

    3. Optionally, make the following advanced settings:

      Rule applies to IPsec packets (only with SNAT or Full NAT mode): Select this option if you want to apply the rule to traffic which is going to be processed by IPsec. By default this option is not selected, thus IPsec traffic is excluded from source network address translation.

      Log initial packets (optional): Select this option if you want to write the initializing packet of a communication to the firewall log. Whenever the NAT rule is used, you will then find a message in the firewall log saying "Connection using NAT". This option works for stateful as well as stateless protocols.

    4. Click Save.

      The new rule appears on the NAT list.

    5. Enable the NAT rule.

      The new rule is disabled by default (toggle switch is gray). Click the toggle switch to enable the rule.

    To either edit or delete a rule, click the corresponding buttons.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • ... Und dann gibt es ja noch "Masquerading"

    Masquerading

    Masquerading is a special case of Source Network Address Translation (SNAT) and allows you to masquerade an internal network (typically, your LAN with private address space) behind a single, official IP address on a network interface (typically, your external interface connected to the Internet). SNAT is more generic as it allows to map multiple source addresses to several destination addresses.

    Note – The source address is only translated if the packet leaves the gateway system via the specified interface. Note further that the new source address is always the current IP address of that interface (meaning that this address can be dynamic).

    To create a masquerading rule, proceed as follows:

    1. On the Masquerading tab, click New Masquerading Rule.

      The Add Masquerading Rule dialog box opens.

    2. Make the following settings:

      Network: Select the (internal) network you want to masquerade.

      Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

      Interface: Select the (external) interface that is connected to the Internet.

      Use address: If the interface you selected has more than one IP address assigned (see Interfaces & Routing > Interfaces > Additional Addresses), you can define here which IP address is to be used for masquerading.

      Comment (optional): Add a description or other information.

    3. Click Save.

      The new masquerading rule appears on the Masquerading rule list.

    4. Enable the masquerading rule.

      Click the toggle switch to activate the masquerading rule.

    To either edit or delete a rule, click the corresponding buttons.

    Note – You need to allow traffic from the internal network to the Internet in the firewall if you want your clients to access external servers.

    IPsec packets are never affected by masquerading rules. To translate the source address of IPsec packets create an SNAT or Full NAT rule.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hallo Herr Rusch,

    danke für Ihre Antworten.

    Es ging mir an sich nicht darum wie ich die NAT-Regeln erstelle.

    Das Problem ist, dass ich mehrere Anwendungen benutze die mit Symmetrischem-NAT beziehungsweise Endpoint-Dependent Mapping nicht funktionieren. Deshalb wollte ich fragen ob die Sophos diese NAT-Methode verwendet nachdem ich online hierzu nichts gefunden habe.

  • Hallo,

    das war die schnellste Methode zu zeigen, welche Optionen es bei der Erstellung von NAT-Regeln bei der UTM gibt.

    Das Herumwerfen mit Begriffen bringt hier nichts, jeder Hersteller versteht darunter etwas anderes. Beispiel Cisco oder HP.

    Aber da die UTM einen Linux-Kernel verwendet, verstehe ich das Problem nicht.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hallo,

    Herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Frowning2)

    Sophos has excellent pre-sales engineers.  I would urge you to call Sophos Sales in Deutschland and ask that question.  Please share here what you learn.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA