Sophos Firewall: How to DNAT to an internal server

This article explains how you can publish an internal server in the LAN or DMZ, over the Internet with a Sophos XG Firewall.

The following sections are covered:

• How to configure DNAT for an internal server
• Related information
• Feedback and contact

Applies to the following Sophos products and versions Sophos Firewall

Sophos Firewalls allows you to publish your internal servers (the protected servers), located in the LAN or DMZ, over the Internet. Since the internal servers have private IP Addresses assigned to their network segment, it must be translated to the public IP Addresses (The Hosted Servers), which will be the destination IP Addresses for all incoming requests coming over the Internet. Almost all traffic transit rules can be defined using Policies in Sophos Firewalls.

Navigate to Firewall then click +Add Firewall Rule and select Business Application Policy.

Select Application Template and choose DNAT/Full NAT/Load Balancing.

Fill out the settings as shown below:

• Source Zones: WAN
• Allowed Client Networks: Any
• Destination Host/Network: WAN Interface
• Forward Type: Select the port, port range or port list that need to be forward from the WAN to the internal server.
• Protected Servers: Select or create an existing host entry for the server.
• Protected Zone: Select the Zone in which the host resides (LAN or DMZ).
• Change Destination Port(s): Only check this if you wish to change ports like redirecting port 80 to port 9000.
• Rewrite source address (Masquerading): unchecked
• Optional
• Create Reflexive Rule: Check if the server will be initiating outgoing connections.
• Click Save to apply.