Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 8735 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUTM on AWS - NAT whilst retaining original IP

zzzp8

 Hi there

 

Trying to setup an inbound NAT rule from 0.0.0.0/0 , to a server sitting inside of a VPC inside AWS on a private subnet.

 

I have setup the NAT rule as below and can see the traffic passing. The VPC routing inside of the VPC is set to direct traffic to the Network interface of the Sophos for any traffic that is 0.0.0.0/0 

 

The issue is the server I have is a SFTP server, and it blocks traffic from specific IP's on repeated failed attempts e.g. if someone tries to brute force the SFTP server it will blacklist the IP address. Therefore I need the firewall to not translate inbound traffic and retain the original WAN IP addresses that are trying to connect to the Sophos firewall. Otherwise the SFTP will block the IP address of the Sophos firewall IP and nobody will be able to access to the SFTP Server (Because the SFTP server would see only the translated IP address of the Sophos).

 

Is it possible to do a NAT whilst retaining the original IP of the person sending traffic into our SFTP server?

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    I've moved this thread to the UTM on AWS forum.  You might PM Sachingurung to see if there's documentation about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    For clarification, a full NAT is required not because there's an issue with UTM, rather this is a requirement for the traffic to not be dropped by AWS as it leaves the UTM's interface.  I'm not 100% sure the reason.  I use to think that AWS would block any traffic traversing the VPC who's source IP address wasn't within the network range of the VPC....or even that AWS didn't allow public IP addresses to be kept as source IP addresses within VPCs, but I've never been able to find any specific AWS documentation related to this.  All I know is if you sniff the traffic with a DNAT, the traffic will leave the UTM's interface but not get to the instance.  A full NAT fixes this.  

    As to issues NATing with more than 1 network interface, there's no specific issues with this on UTM that I'm aware of.  If you experience issues with this again in the future, please reach out to Support so we can have a look.

    Tim

Reply
  • 0 in reply to BAlfson

    For clarification, a full NAT is required not because there's an issue with UTM, rather this is a requirement for the traffic to not be dropped by AWS as it leaves the UTM's interface.  I'm not 100% sure the reason.  I use to think that AWS would block any traffic traversing the VPC who's source IP address wasn't within the network range of the VPC....or even that AWS didn't allow public IP addresses to be kept as source IP addresses within VPCs, but I've never been able to find any specific AWS documentation related to this.  All I know is if you sniff the traffic with a DNAT, the traffic will leave the UTM's interface but not get to the instance.  A full NAT fixes this.  

    As to issues NATing with more than 1 network interface, there's no specific issues with this on UTM that I'm aware of.  If you experience issues with this again in the future, please reach out to Support so we can have a look.

    Tim

Children
No Data
Unfiltered HTML