1:1 NAT with an additional external subnet

Hi,

a new customer actually has a watchguard firewall. The watchguard is replaced by a AP-cluster of 2 XG330.
He has a normal WAN connection with a static IP and, additionally a /25 subnet (completely other range) that is routed to the WAN-IP. On the watchguard there is a simple 1:1 NAT rule that maps the external subnet to an internal subnet (not the full /24, only the first half of it) and this works inbound as outbound.

I first configured 126 additional IPs on the WAN interface (what a pain and the IPs are totally mixed up, really great for seeing if you got all IPs covered...) and now am a bit struggeling with the NAT rules.


As I found out by searching the forum the XG is not able to NAT subnets, only ranges (really, Sophos?) and I managed to create the 1:1 DNAT rule from WAN to LAN with "one to one" loadbalancing.


But how do I create the SNAT rule? I selected the internal range as source and the external range as SNAT object, but "one to one" loadbalancing doesn't seem to apply here.

Another point where I am unsure is the "Override source translation" part.

Or am I completely on the wrong way to configure this?



Added TAG
[edited by: emmosophos at 8:57 PM (GMT -8) on 22 Feb 2021]
  • Please ignore this if it is a dumb question. If you have a /25 external and are trying to get a one to one you do not need a Nat?

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • What would you recommend?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • I would have thought a firewall rule lan internal network, wan external network, is my theory, but I do not profess to being an expert. I am not even sure you need the alias. Thinking about the configuration.

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • I think I need an alias to make the XG feel responsible for the additional /subnet anyway. The DNAT (WAN-to-LAN) is not really important here, but they use an external service, that needs to identify each client on the LAN with a different WAN IP (thats the reason for the /25 subnet). A site-to-site VPN for this service is unfortunately no option.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Maybe it is a bit better to understand with an overview.

    There are several internal networks connected to the firewall with a routing-switch. The firewall routes the internal networks to the "transfer network IP" of the switch. On the WAN interface the firewall has one fixed IP, later an additional /25 subnet was added.

    Network 2 and network 3 can use the default WAN-IP, can be catched up by the "Default SNAT IPv4" masquerading rule.

    The first half of network 1 is used in the DNAT rule that NATs the external /25 to internal 10.0.1.0/25.
    So - if firewall rules would allow it - the PC in network 1 would be reachable over public IP 2.2.2.129 from the internet.

    More important is the fact, that it has to use the 2.2.2.129 when connecting TO the internet. It always has to be 2.2.2.129,
    not maybe 2.2.2.252 (that would be the correct IP for the LAN client with local IP 10.0.1.124) or
    2.2.2.222 (that would be the correct IP for the LAN client with local IP 10.0.1.94).

    I hope that makes it a bit clearer, what I want.

    In a SNAT rule i can select the ranges on LAN and WAN but I can't say anywhere, that it has to be 1:1 mapped (like I can say in the corresponding DNAT rule).

    Actually, I'm a bit afraid that I have to create a complex SNAT-ruleset of 126 rules for every single LAN-to-WAN translation overriding the default interface behaviour. But I can't imagine, that Sophos planned it doing like that...

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • XG does not support a 1:1 SNAT. 

    But you could create two FULL NATs, which essentially will do the same. Both will use 1:1 DNAT for access both directions.

    Only the reports of certain tools will look odd, as the NAT will be use a random number. 

    __________________________________________________________________________________________________________________

  • Hi LuCar Toni,

    how does the two rules have to look like?

    I guess the first one has to look nearly like my DNAT rule above, if I wanted to do a FULL NAT out of it I would have to change the source IP/ range(?), too. But why would I have to do that?

    I think I can't DNAT a connection that is going to any/WAN without losing the original destination. How would the second one look like?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Essentially the question, do you need a SNAT 1:1? If you need to access the other way around, you can create two NATs (Both DNAT 1:1). 

    The SNAT 1:1 NAT basically is only needed in case you want to know, which client access you (Reporting for example). SNAT 1:1 does not have any kind of network implication, as far as i know. If you want to connect back to the client, which accessed you (build a new connection), you would create a new DNAT 1:1 for this way around. 

    __________________________________________________________________________________________________________________

  • I think you both understood me wrong.

    My customer is working for another company that hosts a service platform to which the clients of my customer are connecting to. In this (external) platform it is required that each client of my customer is connecting with its own, unique external IP. So I do not need the NATs to make services on my side of the connection reachable, it's more the other way round.

    I don't know how I could achieve this without changing the source IP of each client to one of the external subnet. The inbound DNAT is not necessary in this constellation, I only want to create it if they need to access the clients the other way round for monitoring. But that DNAT unfortunately does not seem to create a "static" like in Cisco universe so that the outgoing connection is using the same internal-to-external mapping.

    So that is why I guess creating single SNAT rules for each client seems to be my only option.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Seems like i do not understand the requirement. Looking at the picture, i cannot figure out, why a simple MASQ SNAT should not work? 

    Where is the need to actually 1:1 SNAT? Except the reporting for some application, i guess. 

    __________________________________________________________________________________________________________________