Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=rules-policies-NAT-rule-types

Types of NAT rules

You can create source NAT (SNAT) and destination NAT (DNAT) rules, including port forwarding rules.

You can create a linked NAT rule with the firewall rule configuration and loopback and reflexive rules with a DNAT rule configuration.

Source NAT

The factory configuration has a default source NAT (SNAT) rule with the translated source set to MASQ.

Note

You can delete the default SNAT rule (Default SNAT IPv4), but it reappears whenever you create or update a WAN interface. We recommend turning this rule off instead if you don't need it.

Tip

By default, MASQ in an SNAT rule translates the original IP address to the WAN IP address.

However, for route-based VPNs, configured with Any for the local and remote subnets or IP version set to Dual, the firewall translates the original source to the XFRM IP address for the translated source set to MASQ.

You can see the XFRM IP address in TCP dump and packet capture. The IP addresses are shown as follows:
WAN IP address: On the outer IP header of the encapsulated packet.
XFRM IP address: On the inner IP header for the source.

SNAT rules for outgoing traffic enable internal clients and servers to access external hosts. Sophos Firewall can translate the source IP address of multiple internal clients and servers to the same public IP address with different port numbers. You can configure an IP address or IP range as the translated source.

Note

If you configure an IP address range as the translated source, Sophos Firewall assigns the next available IP address in the range. It doesn't perform one-to-one translation even if the number of IP addresses in the range is the same for the original and translated sources.

You can also define interface-specific NAT to translate the IP addresses of one or more internal hosts to the IP address you specify for an outbound interface.

You can't create a SNAT rule using a public interface that's a bridge member because bridge members don't belong to a zone. If you configure a public interface as a bridge member, source NAT rules using the interface are deleted.

Reflexive rules

You can create mirror NAT rules for destination NAT rules. These are SNAT rules that reverse the destination rule's matching criteria. For example, create a destination NAT rule to translate incoming traffic to an internal server. The corresponding reflexive rule will allow traffic from the server to the source specified in the destination NAT rule.

If the original destination isn't an IP address or is translated, the translated source is masqueraded.

Linked NAT rules

You can create linked NAT rules when you create firewall rules. These are SNAT rules and appear in the NAT rule table.

All the matching criteria of a firewall rule, including users and schedule, apply to its linked NAT rule. You can't edit these settings in the NAT rule. You can only specify the translated sources, including interface-specific translated sources in a linked NAT rule.

Sophos Firewall matches linked NAT rules only with traffic related to the firewall rule to which it's linked. However, if it finds a match with a rule above the linked NAT rule, it applies the first rule's settings.

Tip

We recommend that you don't create new linked NAT rules when a generic NAT rule matches the traffic. Create NAT rules independently to simplify your configuration because you need fewer NAT rules than firewall rules. For example, you may only need a single SNAT rule to masquerade outgoing traffic in a simple environment. You don't need to create an SNAT rule for each firewall rule.

Clean up linked NAT rules in the rule table

Source NAT settings are migrated as linked NAT rules. These rules are linked to the original firewall rule.

When you migrate to SFOS 18.0 or later, many linked NAT (source NAT) rules may be created in the NAT rule table. They are linked to firewall rules that didn't have NAT settings configured or had implemented NAT based on users and schedule prior to migration.

We didn't prune these rules automatically to ensure that there's no behavior change after migration. However, you can delete them. They are linked NAT rules with the following criteria:

  • Translated source set to MASQ.
  • Linked to firewall rules that have destination zone set only to WAN.

At the bottom of the rule table, we added a default source NAT rule (Default SNAT IPv4 or Default SNAT IPv6) with translated source set to MASQ. The rule is turned off by default. You can reposition this rule to replace the deleted rules and turn it on.

In the NAT rule table, the box below the rule filtering menu gives the following options for these linked NAT rules:

  • Understood. Don't delete rules: Won't delete the rules. Won't show the box again.
  • Delete linked NAT rules (only MASQ; Destination: WAN): Deletes the linked NAT rules with translated source set to MASQ and linked to firewall rules that have destination zone set only to WAN.
  • Select the X button on the upper right to hide the box temporarily. The box reappears when you open the page later.

Destination NAT

You can create destination NAT (DNAT) rules for incoming traffic to enable external hosts to access internal clients and servers. You can specify one-to-one, many-to-one, many-to-many, and one-to-many translation from your public IP addresses to private IP addresses.

Load balancing and failover

You can specify a load balancing method for the translated destination hosts, for example, web or email servers. You can select round robin, first alive, random, sticky IP, or one-to-one as the load balancing method.

Note

You must select Health check and specify the settings if you want the firewall to determine whether a server is available.

Round robin

Sends requests to each server sequentially, starting with the first available server on the list. The firewall then sends the next request to the next server on the list and so on.

Use this to distribute the number of connections equally when you don’t need session persistence.

Example

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers:

  • First request: 10.10.10.1
  • Second request: 10.10.10.2
  • Third request: 10.10.10.3
  • Fourth request: 10.10.10.1

First alive

Sends requests to the first available server on the list. The firewall only sends requests to the next server when the first server becomes unavailable, and you've specified the health check settings.

Use this if you want to send all requests to a high-bandwidth server and use the other servers only as backups.

Example

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers: All requests are sent to 10.10.10.1 when it's available.

Random

Sends requests to the servers randomly.

Example

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers: Sends requests to the servers randomly.

Sticky IP

The firewall derives a hash for the source IP address and the original destination IP address. It then uses a modulo for the number of servers to determine the translated destination IP address for the hash. So, for a source-destination pair, the server remains the same.

If the assigned server becomes unavailable, the firewall sends the traffic to the next available server until the previously assigned server becomes available (if you've specified the health check settings). However, the firewall maintains stateful connections and establishes only new connections with the previously unavailable server.

Use this when you want session persistence for applications, such as shopping carts and banking transactions.

Example

Source IP address: 192.168.1.0/24

Original destination: 172.16.1.1 to 172.16.1.4

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers: Suppose the modulo for a hash (source 192.168.1.1 and original destination 172.16.1.1) points to 10.10.10.3. Requests from this source to this original destination are always sent to 10.10.10.3 as long as the server is available.

One-to-one

Performs one-to-one mapping of the original and translated destination IP addresses in the listed order and sends requests to servers according to this mapping.

For example, the firewall always sends requests reaching the first original destination to the first translated destination on the list.

To save the rule, make sure the original and translated destinations have an equal number of IP addresses.

Example

Original destination: 172.16.1.1 to 172.16.1.3

Translated destination: 10.10.10.1 to 10.10.10.3

Assigned servers:

  • Requests to 172.16.1.1 are sent to 10.10.10.1.
  • Requests to 172.16.1.2 are sent to 10.10.10.2.
  • Requests to 172.16.1.3 are sent to 10.10.10.3.

Loopback rules

You can create loopback rules from destination NAT rules to allow internal hosts to communicate with other internal hosts over the external IP address or the domain name. For example, create a destination NAT rule to translate incoming traffic to your servers and create a loopback rule.

To create a loopback rule, specify the following destination NAT rule criteria:

  • Original source: Any
  • Translated source: MASQ
  • Translated destination: Don't set to original.

Port forwarding

Sophos Firewall implements port forwarding with service translation. Services are a combination of protocols and ports. The translated protocol must match the original protocol.

Sophos Firewall implements one-to-one, many-to-one, and many-to-many translation. For many-to-many translation, the ports for the original and translated services must be equal in number.

Note

The web admin console of Sophos Firewall and the user portal are accessible over HTTPS through the default ports 4444 and 443 respectively. If your public IP addresses are configured with HTTPS port forwarding to internal web servers, go to Administration > Admin settings and specify unused ports for Admin console HTTPS port and User portal HTTPS port. Alternatively, specify a different port for your web servers.