1:1 NAT with an additional external subnet

Hi,

a new customer actually has a watchguard firewall. The watchguard is replaced by a AP-cluster of 2 XG330.
He has a normal WAN connection with a static IP and, additionally a /25 subnet (completely other range) that is routed to the WAN-IP. On the watchguard there is a simple 1:1 NAT rule that maps the external subnet to an internal subnet (not the full /24, only the first half of it) and this works inbound as outbound.

I first configured 126 additional IPs on the WAN interface (what a pain and the IPs are totally mixed up, really great for seeing if you got all IPs covered...) and now am a bit struggeling with the NAT rules.


As I found out by searching the forum the XG is not able to NAT subnets, only ranges (really, Sophos?) and I managed to create the 1:1 DNAT rule from WAN to LAN with "one to one" loadbalancing.


But how do I create the SNAT rule? I selected the internal range as source and the external range as SNAT object, but "one to one" loadbalancing doesn't seem to apply here.

Another point where I am unsure is the "Override source translation" part.

Or am I completely on the wrong way to configure this?



Added TAG
[edited by: emmosophos at 8:57 PM (GMT -8) on 22 Feb 2021]
Parents
  • Maybe it is a bit better to understand with an overview.

    There are several internal networks connected to the firewall with a routing-switch. The firewall routes the internal networks to the "transfer network IP" of the switch. On the WAN interface the firewall has one fixed IP, later an additional /25 subnet was added.

    Network 2 and network 3 can use the default WAN-IP, can be catched up by the "Default SNAT IPv4" masquerading rule.

    The first half of network 1 is used in the DNAT rule that NATs the external /25 to internal 10.0.1.0/25.
    So - if firewall rules would allow it - the PC in network 1 would be reachable over public IP 2.2.2.129 from the internet.

    More important is the fact, that it has to use the 2.2.2.129 when connecting TO the internet. It always has to be 2.2.2.129,
    not maybe 2.2.2.252 (that would be the correct IP for the LAN client with local IP 10.0.1.124) or
    2.2.2.222 (that would be the correct IP for the LAN client with local IP 10.0.1.94).

    I hope that makes it a bit clearer, what I want.

    In a SNAT rule i can select the ranges on LAN and WAN but I can't say anywhere, that it has to be 1:1 mapped (like I can say in the corresponding DNAT rule).

    Actually, I'm a bit afraid that I have to create a complex SNAT-ruleset of 126 rules for every single LAN-to-WAN translation overriding the default interface behaviour. But I can't imagine, that Sophos planned it doing like that...

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • XG does not support a 1:1 SNAT. 

    But you could create two FULL NATs, which essentially will do the same. Both will use 1:1 DNAT for access both directions.

    Only the reports of certain tools will look odd, as the NAT will be use a random number. 

    __________________________________________________________________________________________________________________

  • Seems like i do not understand the requirement. Looking at the picture, i cannot figure out, why a simple MASQ SNAT should not work? 

    Where is the need to actually 1:1 SNAT? Except the reporting for some application, i guess. 

    __________________________________________________________________________________________________________________

  • Imagine a destination on the WAN side.

    on that destination the connection of a client with my local IP 10.6.13.1 has to hit with 2.2.2.129.
    The connection of 10.6.13.2 has to hit with 2.2.2.130 and so on.

    If I would use MASQ it would be 1.2.3.4 for all of my clients.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • So you want to use a duplicated NAT. Because to get the internal connection, you need to specifcy a DNAT with SNAT (1:1) --> inbound Connection. You need a outbound connection SNAT, which essentially does not need DNAT at all. 

    __________________________________________________________________________________________________________________

  • The DNAT I mentioned is only if the destination wants to check the clients connectivity with ping or a specific service that runs on the clients. For my problem forget that part, because that one is simple to achieve with the 1:1 load balancing mapping the public IP range to the local IP range.

    My problem is the outgoing part (MASQ or SNAT).
    Is there an comparable easy way to create a 1:1 mapping of the local IP range to the public IP range (will rule #3 work, I can not select 1:1 mapping here) or do I have to create a SNAT rule for each local IP changing it to the public IP (like in rule #1 and #2)?

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner



    added picture
    [bearbeitet von: kerobra um 9:47 AM (GMT -8) am 23 Feb 2021]
  • That seems to be the only solution. Just to be sure: It is required to use a certain IP out of the mapping? What is this needed for outbound traffic? As far as i understand, its the same connection, hence a use of different outgoing IPs is technically not required. Do you need the WAN IP in specific connections? 

    __________________________________________________________________________________________________________________

  • Yes it is required that the internal IP 10.6.13.1 is always using the 89....129 and no other of the public IP range (at least to this destination). They are doing some kind of monitoring and/or software deployment on the remote site that needs that.

    The "normal" WAN-IP is used for any other local IP when connecting to the internet (default SNAT/MASQ rule). Since the local 10.6.13.0 network is /24 the second half of it (10.6.13.128/25) is using it, too.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Just thinking about the UTM approach. And as far as i know, this is not possible on UTM. As UTM will do a 1:1 mapping .1 to .1. You need a .1 to .89. 

    __________________________________________________________________________________________________________________

  • I would be extremely lucky if it was a SG/UTM... :(

    Everything with 2 rules and 2 definitions.

    Not 127 rules (126 SNAT and 1DNAT) with 254 definitions (2x126 host objects and 2 ip ranges)

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Do you know, if this Rule 7 will work as expected? 

    __________________________________________________________________________________________________________________

  • I would be very disappointed if not.

    But to be honest, I never had a situation with such a big external subnet to test it and normally the way  in our installations is DNAT.
    But with VPNs the 1:1 NAT never had any issue as long as the subnet notation in the NAT rule is equal on both definitions.

    On the 10 years old watchguard the SNAT is replaced, too by only one 1:1 rule that maps the internal /25 to the external /25.

    I can't believe Sophos proudly calls it "Enterprise NAT" on one side and leave basic things like 1:1 NAT completely away on the other side.

    Having to use ranges instead of networks is another thing. That may be right from the "usable IPs" point of view, but it raises the configs complexity unnecessarily. I think everyone that configures firewalls knows which IPs 192.168.0.0/24 are usable, they don't need something like a range 192.168.0.1-192.168.0.254.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • I would be very disappointed if not.

    But to be honest, I never had a situation with such a big external subnet to test it and normally the way  in our installations is DNAT.
    But with VPNs the 1:1 NAT never had any issue as long as the subnet notation in the NAT rule is equal on both definitions.

    On the 10 years old watchguard the SNAT is replaced, too by only one 1:1 rule that maps the internal /25 to the external /25.

    I can't believe Sophos proudly calls it "Enterprise NAT" on one side and leave basic things like 1:1 NAT completely away on the other side.

    Having to use ranges instead of networks is another thing. That may be right from the "usable IPs" point of view, but it raises the configs complexity unnecessarily. I think everyone that configures firewalls knows which IPs 192.168.0.0/24 are usable, they don't need something like a range 192.168.0.1-192.168.0.254.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children
No Data