Skip to content

NAT rules

Network Address Translation (NAT) allows you to translate IP addresses and ports for traffic flowing between networks.

It translates private IP addresses into public IP addresses, allowing private IP networks to connect to the internet and hiding the internal network behind the public IP address.

You can create source NAT (SNAT) and destination NAT (DNAT) rules to enable traffic flow between private and public networks by translating non-routable, private IP addresses to routable, public IP addresses. You can create NAT rules for IPv4 and IPv6 networks.

You can specify loopback and reflexive rules for a destination NAT rule. These rules remain independent of the original rule from which they've been created. Changing or deleting the original NAT rule doesn't affect them.

Linked NAT rules are SNAT rules and are created from firewall rules. Sophos Firewall automatically adds a linked NAT rule to match traffic for email MTA mode.

To allow traffic flow between overlapping local subnets, you must configure NAT over policy-based IPsec VPN on Site-to-site VPN > IPsec > IPsec connections. For details, see How to apply NAT over a Site-to-Site IPsec VPN connection.

  • To add a NAT rule manually, select Add NAT rule and then select New NAT rule.
  • To create destination NAT rules and the related firewall rules automatically, select Add NAT rule and then select Server access assistant (DNAT).

Server access assistant (DNAT)

Use Server access assistant to create DNAT rules to translate incoming traffic to servers, such as web, mail, SSH, or other servers, and to access remote desktops. The assistant also creates a reflexive SNAT rule (for outbound traffic from the servers), a loopback rule (for internal users accessing the servers), and a firewall rule (to allow inbound traffic to the servers) automatically.

Rule table actions

  • To see IPv4 or IPv6 rules in the rule table, select IPv4 or IPv6.
  • To hide or show the rule filter, select Disable filter and Enable filter respectively.
  • To reset the rule filter, select Reset filter.
  • To turn off rules, select the rules and then select Disable.
  • To delete rules, select the rules and then select Delete.
  • To change the sequence of a rule, click and drag the Rule handle Rule handle button.. Sophos Firewall evaluates rules from the top down until it finds a match. Once it finds a match for the packet, it doesn't evaluate subsequent rules. So, position the specific rules above the less specific rules.

Click More options More options button. to specify the following actions:

  • To turn on or turn off a rule, select the switch.
  • To edit or delete a rule, select the action.
  • To add a rule next to an existing rule, select the action.
  • To unlink a rule from the firewall rule, select Unlink rule.
  • To reset the number of times a rule was in use, select Reset usage count. This setting is useful when troubleshooting.

Firewall rules and NAT rules

Firewall rules allow or drop traffic entering and exiting the network. NAT rules translate IP addresses for traffic the firewall rule allows. So, you must create firewall rules even if you have created NAT rules.

If Sophos Firewall doesn't find a firewall rule that matches the traffic criteria, it drops the traffic and logs the event. If it doesn't find a matching NAT rule, it allows the traffic to flow but doesn't translate the IP address.

For NAT rules, the matching criteria are the original (pre-NAT) source, destination, and service, and the inbound and outbound interfaces. The order in which Sophos Firewall looks up and applies NAT and firewall rules is as follows:

  • Outgoing traffic: Sophos Firewall applies the firewall rule first and then the SNAT rule.
  • Incoming traffic: Sophos Firewall looks up the DNAT rule first to determine the translated (post-NAT) destination. It then matches the firewall rule based on the source and destination zones, source and destination networks, services, and schedule. For the destination zone, it uses the zone to which the translated (post-NAT) destination belongs.

    Example

    For traffic from the WAN or the LAN zones to your web server in the DMZ, you can create a DNAT rule to translate your public IP address (original destination) to the web server's IP address (translated destination).

    When packets arrive, Sophos Firewall looks up the DNAT rule. It identifies the zone containing the translated destination that you specified. In this example, it identifies DMZ as the destination zone.

    So, to create a firewall rule matching this traffic, you must set the destination zone to DMZ.

    For an example of how to create a DNAT rule and the corresponding firewall rule, see Create DNAT and firewall rules for internal servers.

Source NAT

The factory configuration has a default source NAT (SNAT) rule with the translated source set to MASQ.

Tip

By default, MASQ in an SNAT rule translates the original IP address to the WAN IP address.

However, for route-based VPNs, configured with Any for the local and remote subnets or IP version set to Dual, the firewall translates the original source to the XFRM IP address for the translated source set to MASQ.

You can see the XFRM IP address in TCP dump and packet capture. The IP addresses are shown as follows:
WAN IP address: On the outer IP header of the encapsulated packet.
XFRM IP address: On the inner IP header for the source.

SNAT rules for outgoing traffic enable internal clients and servers to access external hosts. Sophos Firewall can translate the source IP address of multiple internal clients and servers to the same public IP address with different port numbers. You can configure an IP address or IP range as the translated source.

Note

If you configure an IP address range as the translated source, Sophos Firewall assigns the next available IP address in the range. It doesn't perform one-to-one translation even if the number of IP addresses in the range is the same for the original and translated sources.

You can also define interface-specific NAT to translate the IP addresses of one or more internal hosts to the IP address you specify for an outbound interface.

You can't create a SNAT rule using a public interface that's a bridge member because bridge members don't belong to a zone. If you configure a public interface as a bridge member, source NAT rules using the interface are deleted.

Destination NAT

You can create destination NAT (DNAT) rules for incoming traffic to enable external hosts to access internal clients and servers. You can specify one-to-one, many-to-one, many-to-many, and one-to-many translation from your public IP addresses to private IP addresses.

Load balancing and failover

You can specify a load balancing method for the translated destination hosts, for example, web or email servers. You can select round robin, first alive, random, sticky IP, or one-to-one as the load balancing method.

Note

You must select Health check and specify the settings if you want the firewall to determine whether a server is available.

Round robin

Sends requests to each server sequentially, starting with the first available server on the list. The firewall then sends the next request to the next server on the list and so on.

Use this to distribute the number of connections equally when you don’t need session persistence.

Example

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers:

  • First request: 10.10.10.1
  • Second request: 10.10.10.2
  • Third request: 10.10.10.3
  • Fourth request: 10.10.10.1

First alive

Sends requests to the first available server on the list. The firewall only sends requests to the next server when the first server becomes unavailable, and you've specified the health check settings.

Use this if you want to send all requests to a high-bandwidth server and use the other servers only as backups.

Example

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers: All requests are sent to 10.10.10.1 when it's available.

Random

Sends requests to the servers randomly.

Example

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers: Sends requests to the servers randomly.

Sticky IP

The firewall derives a hash for the source IP address and the original destination IP address. It then uses a modulo for the number of servers to determine the translated destination IP address for the hash. So, for a source-destination pair, the server remains the same.

If the assigned server becomes unavailable, the firewall sends the traffic to the next available server until the previously assigned server becomes available (if you've specified the health check settings). However, the firewall maintains stateful connections and establishes only new connections with the previously unavailable server.

Use this when you want session persistence for applications, such as shopping carts and banking transactions.

Example

Source IP address: 192.168.1.0/24

Original destination: 172.16.1.1 to 172.16.1.4

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers: Suppose the modulo for a hash (source 192.168.1.1 and original destination 172.16.1.1) points to 10.10.10.3. Requests from this source to this original destination are always sent to 10.10.10.3 as long as the server is available.

One-to-one

Performs one-to-one mapping of the original and translated destination IP addresses in the listed order and sends requests to servers according to this mapping.

For example, the firewall always sends requests reaching the first original destination to the first translated destination on the list.

To save the rule, make sure the original and translated destinations have an equal number of IP addresses.

Example

Original destination: 172.16.1.1 to 172.16.1.3

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers:

  • Requests to 172.16.1.1 are sent to 10.10.10.1.
  • Requests to 172.16.1.2 are sent to 10.10.10.2.
  • Requests to 172.16.1.3 are sent to 10.10.10.3.

Service translation

Sophos Firewall implements port forwarding with service translation. Services are a combination of protocols and ports. The translated protocol must match the original protocol.

Sophos Firewall implements one-to-one, many-to-one, and many-to-many translation. For many-to-many translation, the ports for the original and translated services must be equal in number.

Note

The web admin console of Sophos Firewall and the user portal are accessible over HTTPS through the default ports 4444 and 443 respectively. If your public IP addresses are configured with HTTPS port forwarding to internal web servers, go to Administration > Admin settings and specify unused ports for Admin console HTTPS port and User portal HTTPS port. Alternatively, specify a different port for your web servers.

Loopback rules

You can create loopback rules from destination NAT rules to allow internal hosts to communicate with other internal hosts over the external IP address or the domain name. For example, create a destination NAT rule to translate incoming traffic to your servers and create a loopback rule.

To create a loopback rule, specify the following destination NAT rule criteria:

  • Original source: Any
  • Translated source: MASQ
  • Translated destination: Don't set to original.

Reflexive rules

You can create mirror NAT rules for destination NAT rules. These are SNAT rules that reverse the destination rule's matching criteria. For example, create a destination NAT rule to translate incoming traffic to an internal server. The corresponding reflexive rule will allow traffic from the server to the source specified in the destination NAT rule.

If the original destination isn't an IP address or is translated, the translated source is masqueraded.

Linked NAT rules

You can create linked NAT rules when you create firewall rules. These are SNAT rules and appear in the NAT rule table.

All the matching criteria of a firewall rule, including users and schedule, apply to its linked NAT rule. You can't edit these settings in the NAT rule. You can only specify the translated sources, including interface-specific translated sources in a linked NAT rule.

Sophos Firewall matches linked NAT rules only with traffic related to the firewall rule to which it's linked. However, if it finds a match with a rule above the linked NAT rule, it applies the first rule's settings.

Tip

We recommend that you don't create new linked NAT rules when a generic NAT rule matches the traffic. Create NAT rules independently to simplify your configuration because you need fewer NAT rules than firewall rules. For example, you may only need a single SNAT rule to masquerade outgoing traffic in a simple environment. You don't need to create an SNAT rule for each firewall rule.

Migrated NAT configurations

When you migrate from 17.5 to SFOS 18.0 or later, Sophos Firewall migrates the NAT settings of firewall rules as NAT rules and lists them in the NAT rule table. You can't define a gateway-based NAT configuration any longer.

Source NAT settings are migrated as linked NAT rules. These rules are linked to the original firewall rule. You can identify these by the firewall rule ID and name in the NAT rule table.

Destination NAT settings are migrated as independent NAT rules and aren't linked to a firewall rule.

Pre-migration rules Post-migration rules
User/Network rules Source or destination NAT rules based on the pre-migration criteria.
Email clients Source NAT rules.
DNAT/Full NAT/Load balancing Destination NAT rules with corresponding firewall rules.
Email servers Destination NAT rules.

NAT settings are migrated as follows:

Source NAT (SNAT) rules:

  • Masqueraded and translated source addresses are migrated as they are.
  • If the rule wasn't configured with gateway-specific NAT, the translated destination is set to MASQ.
  • Default source NAT rules aren't created for public interfaces that are bridge members.

User-network rules with gateway-specific NAT policy and email client (business application) rules: These are migrated as firewall rules and linked (source) NAT rules. The migrated NAT rules will have the following settings:

  • Inbound and outbound interfaces are set to Any.
  • Translated destination is set to Original.
  • Override source translation for specific outbound interfaces is selected in the migrated NAT rule.

Translated source for the outbound interface is set based on the following pre-migration configurations:

Gateway-interface relationship before migration Translated source after migration
Gateway doesn't have an interface attached Not migrated.
Interface attached to the specified gateway isn't attached to another gateway NAT policy host of the gateway.
Interface attached to the specified gateway is also attached to the default gateway
  • NAT policy host of the default gateway.
  • Original for the other gateways.
Interface attached to the specified gateway is attached to other gateways (and not to the default gateway)
  • NAT policy host of the first gateway.
  • Original for the other gateways.
Override default NAT policy for specific gateway was selected NAT policy host of the specified gateway (not the default NAT policy host).

Destination NAT rules: When you migrate a destination NAT (business application) rule, the corresponding migrated NAT rule lists inbound interfaces based on the source zone. They are as follows:

  • Interfaces that belong to the source zone specified in the destination NAT rule.

  • Bridge interface, if it belongs to the source zone.

  • The default selection Any if no interface belongs to the source zone.

Destination NAT rule with source NAT rule: DNAT rules are migrated as independent firewall and NAT rules. If a reflexive rule was selected, it is migrated as a firewall rule and a linked NAT rule.

Email server (business application) rules: Their migration follows the DNAT rule migration principles. Other migration settings are as follows:

Email server rules Migrated settings
Users and groups Migrated to firewall rules.
Allowed client networks Source networks and devices in firewall rules.
Blocked client networks Exclusions to Source networks and devices in firewall rules.
Protected zones Destination zones are set to Any in firewall rules.
Protected zones in reflexive rule Source zones in firewall rules.
Protected servers Translated destination (DNAT) in destination NAT rules.
Protected servers in reflexive rule Source networks and devices in firewall rules.

Clean up linked NAT rules in the rule table

Source NAT settings are migrated as linked NAT rules. These rules are linked to the original firewall rule.

When you migrate to SFOS 18.0 or later, many linked NAT (source NAT) rules may be created in the NAT rule table. They are linked to firewall rules that didn't have NAT settings configured or had implemented NAT based on users and schedule prior to migration.

We didn't prune these rules automatically to ensure that there's no behavior change after migration. However, you can delete them. They are linked NAT rules with the following criteria:

  • Translated source set to MASQ.
  • Linked to firewall rules that have destination zone set only to WAN.

At the bottom of the rule table, we added a default source NAT rule (Default SNAT IPv4 or Default SNAT IPv6) with translated source set to MASQ. The rule is turned off by default. You can reposition this rule to replace the deleted rules and turn it on.

In the NAT rule table, the box below the rule filtering menu gives the following options for these linked NAT rules:

  • Understood. Don't delete rules: Won't delete the rules. Won't show the box again.
  • Delete linked NAT rules (only MASQ; Destination: WAN): Deletes the linked NAT rules with translated source set to MASQ and linked to firewall rules that have destination zone set only to WAN.
  • Select the X button on the upper right to hide the box temporarily. The box reappears when you open the page later.

More resources