Sophos Firewall NAT Configuration PDF

Summary

This document provides an overview of advanced NAT configuration on Sophos Firewall. It covers different types of NAT, best practices for configuration, and various scenarios. The document is aimed at professionals working with firewalls.

Full Transcript

Advanced NAT Configuration
on Sophos Firewall

Sophos Firewall
Version: 19.0v2

[Additional Information]
Sophos Firewall
FW2020: Advanced NAT Configuration on Sophos Firewall

June 2022
Version: 19.0v2

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced NAT Configuration on Sophos Firewall - 1
 Enterprise NAT Configuration on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
Sophos Firewall processes NAT ✓ Creating and managing NAT rules
rules, and how to configure the
different types of NAT that are
supported.

DURATION

15 minutes

In this chapter you will learn how Sophos Firewall processes NAT rules, and how to configure the
different types of NAT that are supported.

Advanced NAT Configuration on Sophos Firewall - 2
 NAT Configuration

You can create a linked NAT
NAT rules have a separate rule that matches on the NAT rules still require
table from firewall rules same criteria as the firewall firewall rules to allow traffic
rule it is linked to

NAT rules have a separate table from firewall rules to enable powerful and flexible configuration
scenarios, including SNAT (source NAT) and DNAT (destination NAT) in a single rule.

The linked NAT rule feature allows a NAT rule to be created inline from a firewall rule and will
follow the same matching criteria of that firewall rule. For linked NAT rules, only the source
translation configuration needs to be selected. Linked NAT rules are primarily intended to be used
to make the migration from v17.5 as smooth as possible. We recommend replacing linked NAT
rules with normal NAT rules.

This design allows for a much simpler configuration where generally you need far fewer NAT rules
than firewall rules, this will also make it easier to convert existing rulesets from other vendors to
Sophos Firewall.

In simple environments, you may only need a single blanket outbound masquerading rule rather
than having it configured individually in each firewall rule.

Please note that NAT rules still require a firewall rule to allow the traffic!

Advanced NAT Configuration on Sophos Firewall - 3
 NAT Packet Flow Firewall rule
NAT lookup for
matching done
DNAT/Full NAT
on post-NAT zone
rules
and pre-NAT IP

Packet Packet
Marking NAT Lookup Zone DNAT Firewall NAT
Arrives Delivered

1 2 3 4 5 6 7

Destination zone DNAT or Full NAT
will be changed as per rule
as per DNAT rule matched in #3
if matched in #3 or
NAT lookup for
the best match
SNAT or linked
NAT rule

This diagram shows how packets flow through the firewall and NATing is applied.

When a packet arrives, and the marking has been done, the Sophos Firewall performs a NAT
lookup for DNAT or Full NAT rules. If a NAT rule has been matched, the destination zone is
translated before the packet goes to the firewall. This means that the firewall will be matching
rules based on the post-NAT destination zone and the pre-NAT IP address.

After the firewall, either:
The DNAT or Full NAT rule matched in step 3 is used to do the translation
A second NAT lookup is done for SNAT rules or linked rules, and this translation is applied

Finally, the packet is delivered.

Advanced NAT Configuration on Sophos Firewall - 4
 Additional information in
Supported NAT Types the notes

SNAT (source NAT) Loopback policy
One-click in UI
Dynamic IP and port (mapped internally) Allows internal traffic to access services using
Change the source port and/or IP address the public IP of the Sophos Firewall

DNAT (destination NAT)
Linked NAT policy
Many-to-one, one-to-one, one-to-many SNAT rule that will match on the same criteria
Change the destination port and/or IP address as a linked firewall rule

Reflexive policy
NAT load balancing
One-click in UI
Allows traffic to traverse the NAT in the Round robin, random, sticky IP,
opposite direction first alive, one-to-one

Here you can see the different types of NAT that Sophos Firewall supports.

[Additional Information]
1. SNAT (source NAT): Dynamic IP and port (mapped internally) Change the source port and/or IP
address.
2. DNAT (destination NAT): Many-to-one, one-to-one, one-to-many Change the destination port
and/or IP address.
3. Reflexive policy: One-click in UI Allows traffic to traverse the NAT in the opposite direction.
4. Loopback policy: One-click in UI Allows internal traffic to access services using the public IP of
the Sophos Firewall.
5. Linked NAT policy: SNAT rule that will match on the same criteria as a linked firewall rule.
6. NAT load balancing: Round robin, random, sticky IP, first alive, one-to-one

Advanced NAT Configuration on Sophos Firewall - 5
 NAT Configuration

Video on using NAT

On the NAT rules tab you can manage the NAT ruleset, reorder the rules and see how many
connections each of the rules have translated.

When adding NAT rules you can either create a NAT rule, or for DNAT scenarios use the server
access assistant to create both the firewall rule and NAT rules.

There is also a button at the top of the page to a video that explains NAT configuration in depth.

From the menu for each rule you can reset the usage counter, and in the case of linked NAT rules,
unlink them from their associated firewall rule.

As with the firewall rules, multiple NAT rules can be selected to be enabled, disabled, deleted and
so forth. Also as with Firewall rules, you can see in the slide that each NAT rule has an ID
associated with it, hence the order of NAT rules is important just as with firewall rules and follows
top down processing.

For example, you should ensure that your catch-all outbound is always the last NAT rule in the
table.

Advanced NAT Configuration on Sophos Firewall - 6
 Masquerading SNAT Scenario

WAN: Port2

LAN: VLAN33

DMZ: Port6

LAN: Port1

Let’s consider the scenario here where we want to perform a masquerading SNAT of all the traffic
going out on the WAN Port2.

We can create a single NAT rule for this.

Advanced NAT Configuration on Sophos Firewall - 7
 Default SNAT Rule

Translation

Matching criteria

Here you can see the default SNAT rule that satisfies the scenario. The rule matches on the
outbound interface and applies the MASQ NAT policy to the source address.

MASQ is the default masquerading policy and will change the source IP address to be the same as
the interface the traffic is leaving through.

Note that the default NAT rule will automatically be updated with additional WAN interfaces if they
are added.

Advanced NAT Configuration on Sophos Firewall - 8
 DNAT Scenario

IP address: 172.30.30.50
IP address of #eth1 Port: 4567
Port: 80 Zone: DMZ

Client Server
Sophos Firewall

Another common use case is using destination NAT (DNAT) to publish an application to the
Internet. For this you will use a normal network firewall rule to allow the traffic and a NAT rule to
perform the destination translation.

If we look at an example, we might have a web-based application running on port 4567 on an
internal server in the DMZ that we want to publish on a public IP address assigned to the WAN
port, this is #eth1.

When the user connects to port 80 using the public IP address we want to change the destination
to port 4567 on the internal server. This is doing both a network and a port translation.

Advanced NAT Configuration on Sophos Firewall - 9
 DNAT Scenario
FIREWALL RULE NAT RULE

You would start by creating the firewall rule that matches this traffic and allows it.
For our example, the source can be ANY, as we don’t want to restrict access to the application
The destination zone is the zone the application server is in because the firewall rule matches
the post-NAT destination zone
The destination networks will be #eth1 in this example
The service is HTTP for port 80
We can also apply IPS policies and other protection in the firewall rule, in this example we will
just select one of the default WAN to DMZ policies

Then we create a NAT rule.
We are not going to match on the source or translate it, this allows the application to see the
real source IP address
The destination will be #eth1, the same as the firewall rule, and we will translate this to our
application server in the DMZ
The original service is HTTP, port 80, and in this example, we are going to do a port NAT and
translate it to our custom port 4567

There are two further options for creating loopback and reflexive policies you can optionally select.

Advanced NAT Configuration on Sophos Firewall - 10
 Reflexive NAT Rule

SNAT
(Masquerade)
app.sophostraining.xyz

Application
Server

Internal
User

When creating the DNAT rule I mentioned two additional options, reflexive policy and loopback
policy that can be automatically created at the same time.

Reflexive policies create an SNAT from internal sources, for example, from a protected server to
the Internet. In our previous example, it would effectively create a masquerading rule for traffic
from the application server.

Advanced NAT Configuration on Sophos Firewall - 11
 Reflexive and Loopback Policies

Here you can see the reflexive NAT rule from our DNAT example.

The source is the protected server, and the rule performs an SNAT on the traffic as it passes
through the Sophos Firewall. This rule could be further modified to match on the outbound port so
that the SNAT only takes place for traffic to the Internet.

Advanced NAT Configuration on Sophos Firewall - 12
 Loopback NAT Rule

SNAT app.sophostraining.xyz

Application
Server

Internal
User

Loopback policies are for when internal users will use the public IP address or hostname to access
a resource, and it performs an SNAT on the connection.

Note that the option to create reflexive and loopback NAT rules only appears when creating new
NAT rules and not when editing.

Advanced NAT Configuration on Sophos Firewall - 13
 Reflexive and Loopback Policies

Here you can see the loopback policy from our DNAT example.

Here the rule performs an additional SNAT for traffic to the protected server. This rule can also be
customized to be more specific.

Advanced NAT Configuration on Sophos Firewall - 14
 NAT Scenarios
NTP Proxy DNS Server Enforcement

Untrusted Public Sophos Firewall
Sophos Firewall DNS Server hijacks DNS
performs a DNAT request and
on NTP requests redirects it to a
that are sent to it trusted internal
DNS server

NTP Request DNS Request

Sophos Firewall Sophos Firewall

NTP Server Internal DNS Server

Watch Demo Watch Demo

Let’s look at some examples, and how you would configure NAT for them. In these two examples
we will consider using the Sophos Firewall as an NTP Proxy and enforcing trusted DNS servers.

The Sophos Firewall is not an NTP server; however, you can use NAT to accept NTP requests on an
interface and perform a DNAT to forward the request to an NTP server, either internal or external.

To help protect against pharming, you can configure the Sophos Firewall to intercept DNS requests
and redirect them to a trusted internal DNS server.

[Additional Information]
NTP Proxy Demo: https://training.sophos.com/fw/demo/NtpProxy/1/play.html
DNS Server Enforcement Demo:
https://training.sophos.com/fw/demo/DnsEnforcement/1/play.html

Advanced NAT Configuration on Sophos Firewall - 15
 NTP Proxy Scenario
FIREWALL RULE NAT RULE

To configure Sophos Firewall as an NTP proxy, first we need to create the firewall rule.

The source will be the zones and networks that you want to proxy the NTP traffic for.

The destination will be the NTP service, and the zone will be the post-NAT zone of the NTP server
you are DNATing the traffic to.

In the NAT rule, you define which networks you want to proxy NTP traffic for, or alternatively, you
could do this based on the inbound interface.

The rule will need to translate the destination from the Sophos Firewall interface to the NTP server.

The NAT rule will also match on the NTP service but does not need to translate it.

Advanced NAT Configuration on Sophos Firewall - 16
 DNS Server Enforcement Scenario
FIREWALL RULE NAT RULE

To configure Sophos Firewall to enforce DNS servers, first we need to create the firewall rule.

The source will be the zones and networks that you want to proxy the DNS traffic for.

The destination will be the DNS service, and the zone will be the post-NAT zone of the DNS server
you are DNATing the traffic to.

In the NAT rule, you define which networks you want to proxy DNS traffic for, or alternatively, you
could do this based on the inbound interface.

The rule will need to translate the destination from any, which could be any DNS server, to the DNS
server you want to enforce.

The NAT rule will also match on the DNS service but does not need to translate it.

And here we can see a DNS request for an internal hostname being resolved even though we tried
to query Google DNS who have no knowledge of this host.

Advanced NAT Configuration on Sophos Firewall - 17
 Things to Remember…
For linked NAT rules the matching criteria is the firewall rule ID
This also considers users and schedule constraints

When migrated from v17.5 all rule ordering for firewall and NAT is preserved

Gateway specific NAT/override NAT policies are not part of the NAT rule
Use the option Override source translation from specific outbound interfaces

DNAT rules take precedence over device access
For example, a DNAT rule on port 22 will translate the destination and the Sophos Firewall will not
be accessible on that port

Here are a few things to remember NAT.

When you create a linked NAT rule, the matching criteria is the firewall rule ID, and it will match
when the firewall rule is matched. This means that the matching also considers users and schedule
constraints, which could prove a powerful tool.

When migrating from v17.5 the ordering of the firewall rules and their linked NAT rules are
preserved.

The equivalent to the gateway specific NAT or override NAT policy can now be found in the NAT
rule by using the option Override source translation for specific outbound interfaces.

DNAT rules take precedence over device access. For example, a DNAT rule on port 22 will translate
the destination and the Sophos Firewall will not be accessible on that port.

Advanced NAT Configuration on Sophos Firewall - 18
 Local NAT Policy
Set the source IP address for system generated traffic to specific destinations

DEFAULT BEHAVIOR LOCAL NAT POLICY BEHAVIOR

172.16.16.16 192.168.37.5 172.16.16.16 192.168.37.5
Source: 192.168.37.5 Source: 172.16.16.16
Destination: Destination:
Sophos 10.1.50.17 Sophos 172.29.52.9
Firewall Firewall

The NAT rules that we have looked at in this chapter have been for traffic passing through the
firewall. There is a separate NAT function that can be used for system generated traffic.

By default, system generated traffic leaving Sophos Firewall will have the source IP address of the
interface it leaves on. You can use a local NAT policy to use a different source IP address for traffic
to selected destinations.

Advanced NAT Configuration on Sophos Firewall - 19
 Local NAT Policy
10.81.1.7 10.81.1.29
VPN

SITE A SITE B
172.16.16.16 MPLS 192.168.16.16
10.250.1.1 10.250.1.2

172.16.16.10

Domain Controller
STAS

console> set advanced-firewall sys-traffic-nat add destination
172.16.16.10 netmask 255.255.255.255 snatip 192.168.16.16

Let’s look at an example.

Here you can see two sites connected by an MPLS with a VPN backup.

Computers on site B authenticate with the domain controller running STAS on site A. STAS
authenticates users with the Sophos Firewall on site B.

Routing could be over either the MPLS or VPN, so you want to use the LAN IP address of the
firewall on site B (192.168.16.16). So that traffic from the firewall on site B to STAS on site A uses
this source IP address you will use a local NAT policy.

Local NAT policies are created through the console. In this example you would use the command:
set advanced-firewall sys-traffic-nat add destination 172.16.16.10 netmask 255.255.255.255
snatip 192.168.16.16

The destination is the IP address of the STAS server, as this is the only destination we want to use
this rule for, the netmask is 255.255.255.255. The SNAT IP is the source IP address we want that
system generated traffic to have.

Advanced NAT Configuration on Sophos Firewall - 20
 Chapter Review

Firewall rules match on post-NAT zone and pre-NAT IP address

The default SNAT rule will automatically add WAN zone interfaces to the outbound
interface configuration

You can use local NAT policies to set the source IP address for system generated traffic
to selected destinations

Here are the three main things you learned in this chapter.

Firewall rules match on post-NAT zone and pre-NAT IP address.

The default SNAT rule will automatically add WAN zone interfaces to the outbound interface
configuration.

You can use local NAT policies to set the source IP address for system generated traffic to selected
destinations.

Advanced NAT Configuration on Sophos Firewall - 25
Advanced NAT Configuration on Sophos Firewall - 26