I am unable to get SNAT to work on one of my servers. I have SNAT working well for my mail servers, web servers, and my desktop. I can get the desktop to change external ip's on the fly with no problems. But I am installing a new Unbuntu web server and it is stubborn. It always shows that it is using the default gateway as its external ip. I am using the command 'curl https://ipinfo.io/ip' to get my external ip. I enabled log initial packets on the SNAT rule and I do see where it is logged in the firewall.log, but there isn't much information in the log as to the address translation itself. I also enabled the logging on my desktop to verify what the log display would look like when it was working. Rule #2 is my problem, and rule #4 is the desktop that I can set to any of the external ip's.
Is there another log I can look at to see how the translation is being handled or going off the rails?
I don't think it matters, but I have two internet connections with /28 subnets of assigned external ip's. I intend to use the webserver protection features for the new server but it is not handling the source translation either. I currently have the webserver protection options disabled.
Hi MarkThornton,
Thank you for reaching out to the Community!
Did you try to configure Masquerading from Network Protection > NAT > Masquerading > Add Masquerading rule > Network > Add the server…
Did you try to configure Masquerading from Network Protection > NAT > Masquerading > Add Masquerading rule > Network > Add the server IP address > Interface > the WAN interface > Use address.
Can you please confirm if you have web filtering configured? If the traffic is filtered through a web proxy, it will ignore the SNAT rule and use the default IP address.
Thanks,
I don't have the masquerading configured. I do have web filtering configured and once I added the new server to skip transparent mode in Web Protection > Filtering Options > Misc > Transparent Mode Skiplist the translation worked as expected. Thank you for the tip!
I had been looking through the Rulz in Rule 2.1 and that didn't indicate that web filtering was involved so I forgot about that configuration.
Thank you for the update! I'm glad that your issue is resolved now.
If you really need web filtering for your internal server, you can enable web filtering for the secondary gateway interface.
Check out the following KBA for more info: Sophos UTM: How to change the outgoing interface for Web Filtering.
Mark, I guess I need to make clearer that 2.1 specifically includes this situation. I would appreciate your suggestion.
Cheers - Bob