Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=lc_202102091505030858

Create a source NAT rule for a mail server (legacy mode)

This example shows how to create a source NAT (SNAT) rule for a mail server in legacy mode.

Introduction

For outgoing traffic, you can configure an SNAT rule to translate the mail server's private IP address to a public IP address other than the firewall's default masquerade address. This is useful in situations where the WAN interface's primary IP address isn't the IP address used by the MX record for outgoing emails.

To configure the SNAT rule, do as follows:

  • Create an alias.
  • Add an IP host.
  • Add a NAT rule.
  • Create a firewall rule.

Example scenario

In this example, you have a network with WAN ports assigned from the IP addresses 192.0.2.9 to 192.0.2.14. All traffic going to the outside network will be sent through 192.0.2.9 by default.

Email server network diagram.

Create an alias

  1. Go to Network > Interfaces.
  2. Click Add interface and then select Add alias from the drop-down menu.

  3. Specify the following settings:

    Name Description
    Physical interface WAN interface
    IP version IPv4
    IPv4/Netmask The additional address (alias) for the WAN interface and corresponding netmask.

    The following image shows an example of how to configure the settings:

    Settings for the add alias section.

  4. Click Save.

Add an IP host

  1. Go to Hosts and services > IP host.
  2. Click Add.

  3. Specify the following settings:

    Name Description
    IP family IPv4
    Type IP
    IP address 192.0.2.10

    The following image shows an example of how to configure the settings:

    IP host settings.

  4. Click Save.

Add a NAT rule

  1. Go to Rules and policies > NAT rules > New NAT rule.

  2. Specify the following settings:

    Name Description
    Rule position Top
    Original source Your email server
    Translated source (SNAT) SNAT_IP
    Original destination Any
    Translated destination (DNAT) Original
    Original service Any
    Translated service (PAT) Original
    Inbound interface Port1
    Outbound interface Port2

    The following image shows an example of how to configure the settings:

    NAT rule settings.

  3. Click Save.

Create a firewall rule

  1. Go to Rules and policies > Firewall rules > Add firewall rule.

  2. Specify the following settings:

    Name Description
    Action Accept
    Rule position Top
    Source zones LAN
    Source networks and devices Email Server
    During scheduled time All the time
    Destination zones WAN
    Destination networks Any
    Services Any

    The following image shows an example of how to configure the settings:

    Firewall rule settings.

  3. Click Save.

Note

For MTA mode, you can edit the automatically-added firewall rule the firewall creates when you turn on MTA mode.