Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=aws-auto-scaling-dnat-use-case

DNAT use-case configuration

Configure a DNAT network using Sophos Firewall with AWS Auto Scaling.

This guide includes instructions for third-party products. We recommend that you check the vendor's latest documentation.

Requirements

You must have a working AWS Auto Scaling deployment. See Sophos Firewall with AWS Auto Scaling.

Network diagram

The diagram below shows an RDP server that can be accessed through DNAT using Sophos Firewall with AWS Auto Scaling.

DNAT use-case.

Firewall management

Configure the Sophos Central firewall group as follows:

  1. Sign in to Sophos Central.
  2. Go to My products > Firewall management > Firewalls.
  3. Click the three dots button AWS three dot button. for your Auto Scaling group.
  4. Click Manage policy.

Manage policy.

Create IP hosts

Create IP range hosts for the WAN subnets of both availability zones. Don't include the first IP address of each subnet. Also, create an IP host for the RDP server.

  1. Go to Hosts and services > IP host and click Add.
  2. Enter a name for the IP range of the first availability zone.

  3. Configure the following settings:

    • IP version: IPv4
    • Type: IP range
    • IP Address: 172.25.1.2 - 172.25.1.254

  4. Click Save.

  5. Click Add.
  6. Enter a name for the IP range of the second availability zone.

  7. Configure the following settings:

    • IP version: IPv4
    • Type: IP range
    • IP Address: 172.25.2.2 - 172.25.2.254

  8. Click Save.

  9. Click Add
  10. Enter a name for the RDP server.

  11. Configure the following settings:

    • IP version: IPv4
    • Type: IP
    • IP Address: 172.25.55.149

  12. Click Save.

IP hosts.

Create service ports

Create service ports as follows:

  1. Go to Hosts and services > Services and click Add.
  2. Enter a name.

  3. Configure the following settings:

    • Type: TCP/UDP
    • Protocol: TCP
    • Source port: 3389
    • Destination port: 1:65535

  4. Click Save.

    RDP port.

  5. Click Add.

  6. Enter a name.

  7. Configure the following settings:

    • Type: TCP/UDP
    • Protocol: TCP
    • Source port: 8080
    • Destination port: 1:65535

  8. Click Save.

    TCP 8080.

Firewall rules

Create firewall rules as follows:

  1. Go to Rules and policies> Firewall rules > Add firewall rule > New firewall rule.
  2. Enter a name.
  3. Under Action, select Accept.
  4. Under Rule position, select Top.
  5. Turn Log firewall traffic on.

  6. Configure the following settings:

    • Source zone: WAN
    • Source networks and devices: Any
    • Destination zones: WAN
    • Destination networks: The IP range hosts you created.
    • Services: The service ports you created.

    Firewall rule.

  7. Click Save.

NAT rules

Create a DNAT rule for the RDP server as follows:

  1. Go to Rules and policies > NAT rules > Add NAT rule > New NAT rule.
  2. Enter a name.

  3. Configure the following settings:

    • Original source: Any
    • Original destination: The IP range hosts you created.
    • Original service: The RDP service you created.
    • Translated source (SNAT): MASQ
    • Translated Destination (DNAT): The RDP server host you created.
    • Translated service (PAT): Original
    • Inbound interface: Any
    • Outbound interface: Any

    DNAT rule.

  4. Click Save.

AWS configuration

Configure the following settings in AWS.

RDP target group

Create the target groups for the RDP server as follows:

  1. Go to AWS web console and sign in.
  2. Search for EC2 and click the EC2 service.
  3. Go to Load balancing > Target groups.
  4. Click Create target group.
  5. Under Basic configuration, select Instances.
  6. Under Target group name, enter a name.
  7. Under Protocol, select TCP.
  8. Under Port, enter 3389.
  9. Under VPC, select your VPC.
  10. Click Next.
  11. Under Available instances, don't select any EC2 instances.
  12. Click Create target group.

RDP target group.

Auto Scaling group

Edit the Auto Scaling group as follows:

  1. Go to Auto scaling > Auto scaling groups and click the Auto Scaling group created for the firewall EC2 instance.
  2. In the Integrations tab, under Load balancing, click Edit.
  3. Select the RDP target group you created and click Update.

Auto Scaling group.

Load balancer

Edit the load balancer as follows:

  1. Go to Load balancing > Load balancers and click the load balancer created for the Auto Scaling group of firewall EC2 instances.
  2. In the Listeners tab, click Add listener.
  3. Under Protocol, select TCP.
  4. Under Port, enter 3389.
  5. Under Default action, select the target group you created.
  6. Click Add listener.

Add listener.

You've added a new listener to the network load balancer. It now accepts RDP traffic from the internet and forwards it to the target group, which is the autoscaling group of firewall EC2 instances.

Listener.

You now have an RDP port opened from the AWS network load balancer. To get access to the RDP server, copy the DNS name of the network load balancer from the Details section.

Auto Scaling load balancer.

You now have RDP access to the internal server and the traffic flows through one of the firewall EC2 instances.

Auto Scaling RDP connection.