Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 19 replies
  • Subscribers 39 subscribers
  • Views 4940 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

1:1 NAT with an additional external subnet

kerobra_retired

Hi,

a new customer actually has a watchguard firewall. The watchguard is replaced by a AP-cluster of 2 XG330.
He has a normal WAN connection with a static IP and, additionally a /25 subnet (completely other range) that is routed to the WAN-IP. On the watchguard there is a simple 1:1 NAT rule that maps the external subnet to an internal subnet (not the full /24, only the first half of it) and this works inbound as outbound.

I first configured 126 additional IPs on the WAN interface (what a pain and the IPs are totally mixed up, really great for seeing if you got all IPs covered...) and now am a bit struggeling with the NAT rules.


As I found out by searching the forum the XG is not able to NAT subnets, only ranges (really, Sophos?) and I managed to create the 1:1 DNAT rule from WAN to LAN with "one to one" loadbalancing.


But how do I create the SNAT rule? I selected the internal range as source and the external range as SNAT object, but "one to one" loadbalancing doesn't seem to apply here.

Another point where I am unsure is the "Override source translation" part.

Or am I completely on the wrong way to configure this?



This thread was automatically locked due to age.
  • 0

    Please ignore this if it is a dumb question. If you have a /25 external and are trying to get a one to one you do not need a Nat?

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    What would you recommend?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    I would have thought a firewall rule lan internal network, wan external network, is my theory, but I do not profess to being an expert. I am not even sure you need the alias. Thinking about the configuration.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I think I need an alias to make the XG feel responsible for the additional /subnet anyway. The DNAT (WAN-to-LAN) is not really important here, but they use an external service, that needs to identify each client on the LAN with a different WAN IP (thats the reason for the /25 subnet). A site-to-site VPN for this service is unfortunately no option.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0

    Maybe it is a bit better to understand with an overview.

    There are several internal networks connected to the firewall with a routing-switch. The firewall routes the internal networks to the "transfer network IP" of the switch. On the WAN interface the firewall has one fixed IP, later an additional /25 subnet was added.

    Network 2 and network 3 can use the default WAN-IP, can be catched up by the "Default SNAT IPv4" masquerading rule.

    The first half of network 1 is used in the DNAT rule that NATs the external /25 to internal 10.0.1.0/25.
    So - if firewall rules would allow it - the PC in network 1 would be reachable over public IP 2.2.2.129 from the internet.

    More important is the fact, that it has to use the 2.2.2.129 when connecting TO the internet. It always has to be 2.2.2.129,
    not maybe 2.2.2.252 (that would be the correct IP for the LAN client with local IP 10.0.1.124) or
    2.2.2.222 (that would be the correct IP for the LAN client with local IP 10.0.1.94).

    I hope that makes it a bit clearer, what I want.

    In a SNAT rule i can select the ranges on LAN and WAN but I can't say anywhere, that it has to be 1:1 mapped (like I can say in the corresponding DNAT rule).

    Actually, I'm a bit afraid that I have to create a complex SNAT-ruleset of 126 rules for every single LAN-to-WAN translation overriding the default interface behaviour. But I can't imagine, that Sophos planned it doing like that...

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    XG does not support a 1:1 SNAT. 

    But you could create two FULL NATs, which essentially will do the same. Both will use 1:1 DNAT for access both directions.

    Only the reports of certain tools will look odd, as the NAT will be use a random number. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    how does the two rules have to look like?

    I guess the first one has to look nearly like my DNAT rule above, if I wanted to do a FULL NAT out of it I would have to change the source IP/ range(?), too. But why would I have to do that?

    I think I can't DNAT a connection that is going to any/WAN without losing the original destination. How would the second one look like?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    Essentially the question, do you need a SNAT 1:1? If you need to access the other way around, you can create two NATs (Both DNAT 1:1). 

    The SNAT 1:1 NAT basically is only needed in case you want to know, which client access you (Reporting for example). SNAT 1:1 does not have any kind of network implication, as far as i know. If you want to connect back to the client, which accessed you (build a new connection), you would create a new DNAT 1:1 for this way around. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I think you both understood me wrong.

    My customer is working for another company that hosts a service platform to which the clients of my customer are connecting to. In this (external) platform it is required that each client of my customer is connecting with its own, unique external IP. So I do not need the NATs to make services on my side of the connection reachable, it's more the other way round.

    I don't know how I could achieve this without changing the source IP of each client to one of the external subnet. The inbound DNAT is not necessary in this constellation, I only want to create it if they need to access the clients the other way round for monitoring. But that DNAT unfortunately does not seem to create a "static" like in Cisco universe so that the outgoing connection is using the same internal-to-external mapping.

    So that is why I guess creating single SNAT rules for each client seems to be my only option.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    Seems like i do not understand the requirement. Looking at the picture, i cannot figure out, why a simple MASQ SNAT should not work? 

    Where is the need to actually 1:1 SNAT? Except the reporting for some application, i guess. 

    __________________________________________________________________________________________________________________

Unfiltered HTML