Astaro / Sophos UTM NAT / Firewall Rules

IT

Astaro / Sophos UTM NAT / Firewall Rules

Astaro, now part of Sophos Network Security, is a decent security appliance platform that sits atop of iptables for the firewall set. With that, the NAT rules can be a little different. I have experience with many brands, and the Astaro documentation isn’t completely clear on how to set things up.

This is meant to be a simple example of 1-1 NAT with firewall rules. We will expose this public server on a completely different external IP address. There are many supported ways to accomplish this, but here’s one that many parallels can be drawn to.

Server: ServerA
WAN IP: 1.2.3.4 / 32
LAN IP: 192.168.1.15 / 24

First, we need the appliance to advertise that it’s in charge of the new WAN IP. 

  • Navigate to Interfaces & Routing > Interfaces > Additional Addresses
  • Click New additional address…
  • Enter the Name, choose the interface, give the IP, and choose the mask. For the mask, use /32 as you are identifying a single host.
  • Click Save

Notice the address by default doesn’t enable, click the green light to toggle the setting on.

Next, create the inbound NAT rule, the most intuitive one. This is a DNAT or Destination NAT policy.

  • Navigate to Network Security > NAT > DNAT / SNAT
  • Click New NAT rule…
  • Choose the settings as shown below, noting that ServerA Private is an object defined for the Internal interface, and the Public object selected is External (WAN) [Server A Public] (Address).
  • Don’t use the automatic firewall rule, it’s lazy, and you can lose track of the holes open, take the time to create a manual firewall rule for the needed services.
  • I tend to use groups to keep the NAT rules organized / color coded for easier management. Also, if you have a pre-existing NAT setup, you can easily use the Clone button on the rules.
  • Click Save

Next, create the outbound NAT rule. This is a SNAT or Source NAT policy.

  • Click New NAT rule…
  • Choose the settings as shown below. Note that the destination is Internet IPv4, so this only applies when routing to the internet.
  • Click Save

Next, if necessary, create a reflexive/loopback NAT policy. This is a Full NAT policy.

  • Click New NAT rule…
  • Choose the settings as shown below. That is the entire Internal (Network) and the same pubilc object used in the other ruels.
  • Click Save

Finally, the rules will show up disabled, click the green light to toggle the three rules to on.

The Full NAT bit is the more confusing one, but satisfies the ability for other users in the 192.168.1.0/24 network to reach ServerA via the public address of 1.2.3.4. This winds up being a loopback operation, and the firewall can’t route traffic from Internal back to Internal without changing the source address. This is quite common, some firewalls or deployments handle this with a different DMZ interface, Proxy ARP, or DNS trickery. There are pros and cons to each solution, and all can be implemented on the Astaro appliances. Be sure to consider the  load on the device with the loopback rule as all packets will route in and out of the firewall, where some other methods will be more efficient on the network.

Onto the firewall rules, these are defined under Network Security > Firewall. Some important notes:

Firewall rules are evaluated top down like most other platforms. 

A service definition considers the source and destination ports, so HTTP is defined as 1:65535 -> 80, that’s going to be how you have things setup 99% of the time with standard IP communication as the source ports are dynamically assigned per connection.

The destination of an inbound firewall rule uses the private object.

  • Click New Rule…
  • Configure the settings
  • Click Save


And enable it like before

There you have it; hopefully this helps with the learning curve. 

More About the Author

Daniel Holm

Director of Enterprise Solutions
Quick Q&A: Why We Like Dell-EMC for Just About Everything IT In this edition of “Quick Q&A,” we talk about Dell-EMC with InterWorks Director of Enterprise Solutions Daniel Holm, IT ...
Testing the Beta NVIDIA RTX Audio Driver NVIDIA is always pushing the limit of what their video cards can do. However, they have now started to use the AI abilities they ...

See more from this author →

Subscribe to our newsletter

  • I understand that InterWorks will use the data provided for the purpose of communication and the administration my request. InterWorks will never disclose or sell any personal data except where required to do so by law. Finally, I understand that future communications related topics and events may be sent from InterWorks, but I can opt-out at any time.
  • This field is for validation purposes and should be left unchanged.

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK

×

Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Germany
Geschäftsführer: Mel Stephenson

Kontaktaufnahme: markus@interworks.eu
Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072