The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
When using DNAT, accessing the external address of an internal server from the internal network does not work correctly. In your web browser an error will appear, such as: Host not found.
Host not found
Requests coming from external networks work properly.
Known to apply to the following Sophos product(s) and version(s)
This issue occurs as a result of the way NAT translation works on the UTM. When the client makes a request destined for the external address of an internal server, the UTM changes the destination address of the request and then forwards it on to the server's internal address. When the server receives the request, the source is the client's internal address, which it responds to directly. In most network configurations, the response does not pass back through the UTM (it goes directly to the client, through the switch). The source address of the response is the server's internal address, which usually results in a failed connection, because the client receives a response from a different address than it sent the request to (internal, vs external address).
This issue can be resolved in two ways: either by forcing all connections from internal clients to use the internal address of the server instead of the external address (normally by modifying DNS entries), or by creating a Full-NAT rule to translate the source address of the request as well as the destination. This forces the response from the server to go back through the UTM, and is therefore NAT-translated back such that the response comes from the server's external address instead of it's internal address.
By setting a static DNS entry in the UTM, all references to the internal server will point to the correct internal address, rather than the server's public address.
Once done, DNS lookups sent to the UTM for the affected hostname will return the server's internal address instead of its external address, and internal clients should be able to connect without issues.
If the UTM is not used as a DNS forwarder, you can either perform steps analogous to the above on your DNS server, or create a Full-NAT rule on the UTM to allow it to forward traffic properly.
Once the rule is active, connections from the affected internal network sent to the server's external address should be forwarded correctly, and the server should be able to respond without issues. The existing DNAT rule will still work for connections coming from external networks.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.