Some NAT Rules do not work as of Astaro Security Gateway v7 300

  • Article ID: 115285
  • Updated: 29 May 2012

Some NAT Rules using service definition ANY no longer work as of 7 300

Firewall has DNAT/SNAT rules which specify the "Any" service definition in the Traffic Service field, and also specify something in the Destination Service field. Prior to 7.300, this rule was functioning, but after upgrading to 7.300, the rule is disabled. Re-enabling it fails, and highlights the Traffic Service field.

Applies to the following Sophos Product and version

Sophos UTM Software Appliance

Operating systems


The Any service definition represents any packet, regardless of protocol. When specifying something as a destination service, and Any as the original service, this may be asking the device to translate packets between protocols, which is impossible. For instance, with the example rule below:
Traffic Source: Any Traffic Service: --> Any <-- Traffic Destination: External(Address)   NAT Mode: DNAT  Destination: Internal_Server Destination Service: --> HTTP <--
The above example is only logical for TCP traffic, since the destination service is HTTP.

However, the source section would also apply to ICMP ping packets, and the above rule is asking that they be translated to TCP port 80 packets, which is impossible. 

What to do

If you are specifying "Any" as the destination service, then click the orange recycle box icon to clear that field, and hit save. The rule can now be enabled, and will work as before. If you are specifying a destination port, you must create a new service to replace the use of Any. Service Type: TCP/UDP (Can also be just TCP or UDP if that is all that is needed)

Destination Port:--> 1:65535 <-- Source Port: 1:65535 

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent