Thread Info
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 7357 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF + NAT? Need help on Web Server Problems

GaryYeo

New to Sophos here so please be patient with me.

NAT rule doesn't work.

Rule Type: Full NAT

Traffic From: Any

Using Service: HTTP (80)

Going to: External Address (123.123.97.82)

Change Destination to: WebServer (192.168.0.11)

Service to: HTTP (80)

Change Source to: Internal Address (192.168.0.1)

Service to: HTTP (80)


but the moment I change the

Using Service: HTTP (80) to any other port eg. HTTP Proxy (8080)

I will be able to see the website using 123.123.97.82:8080

 


I'm curious why doesn't this rule work on port 80?

Do I need to setup a WAF for it to work?

If i setup a WAF Rule, do I still need NAT and NAT's Automatic Firewall Rule?

 



This thread was automatically locked due to age.
Parents
  • If you use WAF you must not use NAT since as I recall correctly NAT rules take precedence over WAF hence if you have both, WAF will not kick in.

    As to why your rule on port 80 does not work, I have no clue, maybe someone else can help you. However you would normally not need full-nat, a simple DNAT should also work:

    Traffic from: any (or Internet IPV4)
    Using service: HTTP
    Going to: External (address)

    Change destination to: Webserver
    Service: (leave blank when this is the same service as specified above)

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • If you use WAF you must not use NAT since as I recall correctly NAT rules take precedence over WAF hence if you have both, WAF will not kick in.

    As to why your rule on port 80 does not work, I have no clue, maybe someone else can help you. However you would normally not need full-nat, a simple DNAT should also work:

    Traffic from: any (or Internet IPV4)
    Using service: HTTP
    Going to: External (address)

    Change destination to: Webserver
    Service: (leave blank when this is the same service as specified above)

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML