This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

1:1 NAT with an additional external subnet

Hi,

a new customer actually has a watchguard firewall. The watchguard is replaced by a AP-cluster of 2 XG330.
He has a normal WAN connection with a static IP and, additionally a /25 subnet (completely other range) that is routed to the WAN-IP. On the watchguard there is a simple 1:1 NAT rule that maps the external subnet to an internal subnet (not the full /24, only the first half of it) and this works inbound as outbound.

I first configured 126 additional IPs on the WAN interface (what a pain and the IPs are totally mixed up, really great for seeing if you got all IPs covered...) and now am a bit struggeling with the NAT rules.


As I found out by searching the forum the XG is not able to NAT subnets, only ranges (really, Sophos?) and I managed to create the 1:1 DNAT rule from WAN to LAN with "one to one" loadbalancing.


But how do I create the SNAT rule? I selected the internal range as source and the external range as SNAT object, but "one to one" loadbalancing doesn't seem to apply here.

Another point where I am unsure is the "Override source translation" part.

Or am I completely on the wrong way to configure this?



This thread was automatically locked due to age.
Parents Reply
  • I would have thought a firewall rule lan internal network, wan external network, is my theory, but I do not profess to being an expert. I am not even sure you need the alias. Thinking about the configuration.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • I think I need an alias to make the XG feel responsible for the additional /subnet anyway. The DNAT (WAN-to-LAN) is not really important here, but they use an external service, that needs to identify each client on the LAN with a different WAN IP (thats the reason for the /25 subnet). A site-to-site VPN for this service is unfortunately no option.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner