This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I give a vendor access to internal firewall via one of our public IP addresses?

Greetings!

We have a network at work spanning three buildings. Two buildings with ELAN's (recently replaced RED-50's) connect to our main building (hub) with a SG-210 UTM. 

I'd like to give a vendor access to an internal firewall in one of the smaller buildings via one of our public IP's. 

They need to login periodically to maintain access points and logs.

How do I do this? Use a DNAT? Didn't have any luck today.

I tried a DNAT from one of our public IP's to the firewall internal IP.

Any help would be greatly appreciated.

 



This thread was automatically locked due to age.
  • Hi  

    This DNAT rule looks good to me. Would you please share the screenshot of the service definition if you don't mind? The destination port should not conflict with any of the existing services of UTM i.e. User Portal, WebAdmin, SSL VPN.

    Regards

    Jaydeep

  • The vendor requested TCP and UDP service access. Also ICMP. My thoughts were that if I brought them in with a different public IP than the UTM WAN interface I wouldn't conflict with other services such as my VIP's logging in via Sophos SSL VPN ect. 

    If the vendor comes in through one of the other public IP's in our assigned block shouldn't the UTM check the NAT's and let the traffic down the pipe?

     

  • Hi  

    This should not be the Service definition unless you want to forward all traffic from the Internet that comes on that specific WAN to the Internal Firewall. Please ask your service provider/vendor to provide details of the specific ports they require.

    Regards

    Jaydeep

  • Hi Sean,

    Start by reading #4 and #5 in Rulz (last updated 2019-04-17).  Also, it's "cleaner" to use "Internet IPv4" instead of "Any" in 'For traffic from'.

    That said, if this is just for browser access, the "ideal" solution for this is the HTML5 VPN Portal.  That requires individuals to identify themselves and removes the ability for anyone from anywhere to access the device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA