If we checked reflexive rule in a DNAT rule. What will be source and destination of the reflexive rule.
Lets say , we have a DNAT rule for HTTP and orginal port and translated port are same . So the source port range is 1:65535 and destination port is 80.
So what will be the source port and destination port in reflexive rule?
Hi Suhail T,
Thank you for reaching out to the Community!
The reflexive rule will allow traffic from the server(source) to the source specified(destination) in the DNAT rule. The reflexive rule reverses…
The reflexive rule will allow traffic from the server(source) to the source specified(destination) in the DNAT rule. The reflexive rule reverses the matching criteria of the DNAT rule that means the source port for the reflexive rule would be the port range(1:65535) and the destination port would be 80.
Check out the following document for more info: NAT rules.
Community Support Engineer, Support & Services | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Thanks for your reply.
I have a DNAT rule for internal clients(LAN) to communicate with server on a range of UDP ports.
LAN - 192.168.9.0/24
Server - 192.168.250.10/24
service---------Source port - 1024:65535Destination port- 16384:19384
Reflexive rule is also checked.
But i can see in logs that server is communicating with LAN clients with source port 16384:19384, destination port 1024:65535.
It is confusing.
Why do you need a NAT Rule in the first place?
DNAT is to forward certain traffic to a particular Network and "Translate" traffic. It looks like you are using NAT internally, which "should" not be needed.
It is our requirement. The clients should be contacting the public IP to connect to the server in DMZ.
Ok, but why do you need a reflexive rule?
The DNAT should be enough to redirect the Requests from Public IP to Server. Simply use "Full NAT (SNAT + DNAT) in one rule.
If you are not doing this, the Server will talk directly to the Client back. That could cause unexpected Network traffic.
Reflexive rule would be to "turn the table" and allow the Server to establish a connection to the clients, which sounds like something, you do not want to do?
This is the exact requirement we need, The clients need to contact the server and vice versa with the same UDP ports.
But the unexpected behaviour we observe is that the server is connecting the client with source port and destination ports interchanged.