Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=rules-policies-dnat-ipsec-sd-wan-route

Use SD-WAN routes for DNAT

You can use SD-WAN routes to route DNAT traffic to an internal server in a remote network.

  • Scenario

    This example is based on the following deployment:

    • An internal server in a remote network that can be accessed over TCP port 3389.
    • Sophos Firewall and the remote firewall are connected through route-based IPsec VPN.
    • The internal server behind the remote firewall can be reached through the gw6 gateway.

Network diagram

DNAT with IPsec and SD WAN route.

Requirements

Make sure you have the following configurations:

Configure IP host

To create an IP host object for your internal server, do as follows:

  1. Go to Hosts and services > IP host and click Add.
  2. Enter a name. This example uses Internal_Server.
  3. Under IP version, select IPv4.
  4. Under Type, select IP.
  5. Under IP address, enter the IP address of your internal server.
  6. Click Save.

Configure gateway object

You must configure a gateway object for the gateway where the remote internal server can be reached. To configure a gateway object, do as follows:

  1. Go to Routing > Gateways.
  2. Under IPv4 gateway, click Add.
  3. Enter a name. This example uses gw6.
  4. Under Gateway IP, enter the remote gateway's IP address. This example uses 10.12.13.2.
  5. Under Interface, select the interface of the gateway. This example uses xfrm1-10.12.13.1.
  6. Under Monitoring condition, enter the IP address of a host device behind the gateway. This example uses 10.12.13.2.

For more information, see Add a gateway.

DNAT SD-WAN route gateway.

Configure DNAT

To configure DNAT, do as follows:

  1. Go to Rules and policies > NAT rules.
  2. Click Add NAT rule > New NAT rule.
  3. Enter a name. This example uses DNAT_RDP.
  4. Under Translated source (SNAT), select MASQ. This ensures that the reply traffic will be sent back to Sophos Firewall.
  5. Under Original destination, select the WAN interface on which the internal server can be reached. This example uses #Port1.
  6. Under Translated destination (DNAT), select your internal server. This example uses Internal_Server.
  7. Under Original service, select the service object for the port on which the internal server can be reached. This example uses 3389.
  8. Click Save.

DNAT rule.

Configure SD-WAN route

To configure an SD-WAN route, do as follows:

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a name. This example uses SD-WAN DNAT.
  4. Under Destination networks, remove Any and select the WAN interface on which the internal server can be reached. This example uses #Port1.

  5. Under Services, remove Any and select the service object for the port on which the internal server can be reached. This example uses TCP 3389.

    If the internal server's external TCP port is different from the internal TCP port, you must use the external TCP port in the SD-WAN route.

    DNAT SD-WAN route traffic selector.

  6. Under Link selection settings, select Primary and Backup gateways.

  7. Under Primary gateway, select the gateway on which the internal server can be reached. This example uses gw6.

    DNAT SD-WAN route link selection.

  8. Click Save.

Route to multiple internal servers

To route traffic to multiple internal servers, you can do as follows:

  • Use the same SD-WAN route if the servers use the same gateway but different TCP ports or WAN IP addresses. Add these ports to the SD-WAN route's services and WAN IP addresses to the destination networks.
  • Use different SD-WAN routes if the servers use different gateways.