Scribd Logo
Upload

Welcome to Scribd!

  • Create DNAT Firewall Rules for Internal Servers

    Uploaded by

    thats bist
    18 views9 pages

    Original Title

    Create DNAT and firewall rules for internal servers

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views9 pages

    Create DNAT Firewall Rules for Internal Servers

    Uploaded by

    thats bist

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Create DNAT and firewall rules for internal

    servers
    May 24, 2022

    This example shows how to create a many-to-many destination NAT rule to translate
    incoming traffic to internal servers. It also shows how to create firewall rules to allow the
    traffic.

    Objectives
    When you complete this unit, you'll know how to do the following:

     Create a destination NAT rule to translate traffic from external sources to the
    internal servers.
     Specify a loopback NAT rule to translate traffic from internal sources to the
    internal servers.
     Specify a reflexive NAT rule to translate traffic from the servers. This is a source
    NAT rule for the internal servers.
     Load balance traffic among the internal servers.

    DNAT network diagram


    Destination NAT is typically used to translate incoming traffic that reaches the WAN IP
    addresses. The following network information is illustrative:

     Pre-NAT IP address of web servers: 11.8.9.28


     Post-NAT IP addresses of web servers: 10.145.15.42, 10.145.15.114

    Here's an example:
     Destination NAT from external source to internal web servers with port
    translation: Any to Web server public IP address (11.8.9.28) translated to Web server internal
    IP list (10.145.15.42, 10.145.15.114) with port translation from TCP 8888 to TCP 4444.
     Loopback rule to translate traffic from internal source to internal web
    servers: Network LAN (10.145.16.10/24) to Web server public IP address
    (11.8.9.28) translated to Web server internal IP list (10.145.15.42, 10.145.15.114) with port
    translation from TCP 8888 to TCP 4444.
     Reflexive rule to translate traffic from the web server to external and internal
    destinations: Web server internal IP list (10.145.15.42, 10.145.15.114) to Any.
     Load balancing method for the web servers.
     Firewall rule to allow traffic from external networks to the internal web servers in
    DMZ.
     Firewall rule to allow traffic from an internal network to the internal web servers.
     Firewall rule to allow traffic from the internal web servers to any network.

    Specify the NAT rule settings


    1. Go to Rules and policies > NAT rules, select IPv4 or IPv6 and click Add NAT
    rule.
    2. Specify the rule name and rule position.
    3. In this example, specify the translation settings for incoming traffic to the web
    servers:

    Name Description

    Original source Any

    Translated source (SNAT) Original

    Original destination Webserver_PublicIPAddress

    Translated destination (DNAT) Webserver_InternalIPAddressList

    Original service TCP port 8888

    Select Create new and set Destination


    port to 8888.
    Name Description

    Translated service (PAT) TCP port 4444

    Select Create new and set Destination


    port to 4444.

    Inbound interface Any

    Alternatively, you can specify Port1 in this


    example.

    Outbound interface Any

    4. Select Create loopback rule to translate traffic from internal users to the internal
    web servers.
    5. Select Create reflexive rule to create a source NAT rule that translates traffic
    from the web servers.
    6. Select a load balancing method to load balance traffic between the web servers.
    In this example, you select Round-robin.
    7. Click Save.
    The following image shows an example of how to configure the settings:
    Create firewall rules to allow traffic that matches the destination NAT rule, loopback rule,
    and reflexive NAT rule.

    Specify firewall rule settings for the DNAT rule


    1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and
    select Add firewall rule. Select New firewall rule.
    2. Specify the rule name and rule position.
    3. Specify the source, destination, and services as follows:

    Name Description

    Source zones WAN


    Name Description

    Source Any
    networks and
    devices

    Destination DMZ
    zones Select the zone containing your web servers.

    Sophos Firewall looks up the matching DNAT rule for


    the traffic. It identifies the zone containing the translated
    destination, which is DMZ in this example. It uses DMZ
    as the destination zone when it matches a firewall rule.

    Destination Webserver PublicIPAddress


    networks

    Services TCP port 8888, TCP port 4444

    4. Specify the security settings and click Save.


    The following image shows an example of how to configure the settings:
    You created a firewall rule to allow traffic from external sources to the internal web servers.

    Specify firewall rule settings for the loopback rule


    1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and
    select Add firewall rule. Select New firewall rule.
    2. Specify the rule name and rule position.
    3. Specify the source, destination, and services as follows:

    Name Description

    Source zones LAN

    Source networks and devices Network_LAN


    Name Description

    Destination zones DMZ

    Destination networks Webserver PublicIPAddress

    Services TCP port 8888, TCP port 4444

    4. Specify the security settings and click Save.


    The following image shows an example of how to configure the settings:

    You created a firewall rule to allow traffic from the internal network to the internal web
    servers.

    Specify firewall rule settings for reflexive NAT rule


    1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and
    select Add firewall rule. Select New firewall rule.
    2. Specify the rule name and rule position.
    3. Specify the source, destination, and services as follows:

    Name Description

    Source zones DMZ

    Source networks and devices Webserver InternalIPAddressList

    Destination zones Any

    Destination networks Any

    Services TCP port 8888, TCP port 4444

    4. Specify the security settings and click Save.


    The following image shows an example of how to configure the settings:
    You created a firewall rule to allow traffic from the internal web servers to internal and
    external networks.

    More resources

     NAT rules
     Firewall rules
     Add a NAT rule

    You might also like