Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 1291 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT problems with new server

MarkThornton

I am unable to get SNAT to work on one of my servers. I have SNAT working well for my mail servers, web servers, and my desktop. I can get the desktop to change external ip's on the fly with no problems. But I am installing a new Unbuntu web server and it is stubborn. It always shows that it is using the default gateway as its external ip. I am using the command 'curl https://ipinfo.io/ip' to get my external ip. I enabled log initial packets on the SNAT rule and I do see where it is logged in the firewall.log, but there isn't much information in the log as to the address translation itself. I also enabled the logging on my desktop to verify what the log display would look like when it was working. Rule #2 is my problem, and rule #4 is the desktop that I can set to any of the external ip's.

Is there another log I can look at to see how the translation is being handled or going off the rails?

I don't think it matters, but I have two internet connections with /28 subnets of assigned external ip's. I intend to use the webserver protection features for the new server but it is not handling the source translation either. I currently have the webserver protection options disabled.



This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Did you try to configure Masquerading from Network Protection > NAT > Masquerading > Add Masquerading rule > Network > Add the server IP address > Interface > the WAN interface > Use address. 

    Can you please confirm if you have web filtering configured? If the traffic is filtered through a web proxy, it will ignore the SNAT rule and use the default IP address. 

    Thanks,

  • 0 in reply to FormerMember

    I don't have the masquerading configured. I do have web filtering configured and once I added the new server to skip transparent mode in Web Protection > Filtering Options > Misc > Transparent Mode Skiplist the translation worked as expected. Thank you for the tip!

    I had been looking through the Rulz in Rule 2.1 and that didn't indicate that web filtering was involved so I forgot about that configuration. 

  • FormerMember
    0 FormerMember in reply to MarkThornton

    Hi ,

    Thank you for the update! I'm glad that your issue is resolved now. 

    If you really need web filtering for your internal server, you can enable web filtering for the secondary gateway interface. 

    Check out the following KBA for more info: Sophos UTM: How to change the outgoing interface for Web Filtering.

    Thanks,

  • 0 in reply to MarkThornton

    Mark, I guess I need to make clearer that 2.1 specifically includes this situation.  I would appreciate your suggestion.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML