Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=rules-policies-NAT-configurations

NAT configurations

The firewall offers NAT rules, CLI configuration, and IPsec NAT settings to translate different types of traffic.

NAT rules translate forwarded traffic. To translate system-generated traffic and interface addresses, you must use the CLI. To translate the local and remote subnets in site-to-site IPsec VPNs, you must use the NAT settings in the IPsec configuration.

Forwarded traffic

Forwarded traffic is traffic that passes through the firewall.

NAT rules

You can create source NAT (SNAT) and destination NAT (DNAT) rules to allow traffic flow between private and public networks by translating non-routable private IP addresses to routable public IP addresses. You can create NAT rules for IPv4 and IPv6 networks.

You can specify loopback and reflexive rules for a DNAT rule. These rules remain independent of the original rule from which they've been created. Changing or deleting the original NAT rule doesn't affect them.

Linked NAT rules are SNAT rules and are created from firewall rules. Sophos Firewall automatically adds a linked NAT rule to match traffic for email MTA mode.

See Types of NAT rules.

Site-to-site IPsec tunnels with overlapping subnets

To allow traffic flow between overlapping local subnets in networks on either end of a site-to-site IPsec tunnel, you must configure the NAT settings in Site-to-site VPN > IPsec > IPsec connections. See Routing and NAT for IPsec tunnels.

This requirement applies to policy-based tunnels. It applies to route-based VPN tunnels if you've selected local and remote subnets.

Note

To translate forwarded traffic passing through route-based IPsec VPN tunnels when you've configured the local and remote subnets with Any, you must use NAT rules.

System-generated traffic and interface address

You can translate the source IP address of system-generated traffic using the CLI. So, you can translate traffic that originates from the firewall for firewall services, such as DHCP and authentication. By default, system-generated traffic uses WAN link load balancing.

You can also use the command to translate the source addresses, including the firewall interface addresses.

For the configuration examples, see NAT for system-generated traffic and interfaces.

The firewall matches traffic in the order in which the NAT configurations are listed on the CLI. You can see these NAT configurations using the following command:

show advanced-firewall

Use cases

The following are a few use cases for source translation using the CLI:

  • VPN tunnels: Send system-generated traffic, such as DHCP and authentication requests, through site-to-site IPsec tunnels.

  • Multiple WAN links: When you have more WAN links than the WAN interfaces in the firewall, you can configure alias IP addresses for the WAN links. You can then translate the physical interfaces to the corresponding alias addresses.

    Note

    Routing configurations always use the main interface. To use an alias as the source IP address, you must translate the interface address to the alias address.

  • Mail flow: Translate mail traffic to the alias IP address required for upstream relay or to match the address in MX records.

  • Private IP address:

    • Destination WAN: To keep the internal IP address private, for example, DHCP requests from a LAN interface.
    • Internal destination: To make sure certain traffic has a specific source IP address, for example, in MPLS networks.

  • Server access: Use a specific source IP address to access certain web servers.