Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 4219 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT Issue? Can't Replicate VPN Connection.

TitanRob16

Hi all,

We're currently in the middle of transferring everything across from our old IPCop server to the Sophos UTM (in the hopes of retiring IPCop). 

I've copied across the DNAT rules (with automatic firewall rules), put in the static routes and have ensured our public-facing router is configured correctly. 

However, we're unable to connect to our customer VPNs. From their perspective, they just need to open up their end to our public-facing router, which is what they've done. But from ours we need to ensure traffic from our UTM is being directed to the correct locations. 

I'm currently testing out one of the VPN connections but none of them are currently working. I've reduced the test to one specific server we often RDP to and have tested it's working on my PC (using the old connection we're trying to replace). On the new connection however, I'm unable to connect to it. I've checked the firewall log and can see the NAT rule I've placed - it shows traffic from the test laptop (which has the UTM set as the default gateway) going to the internal IP address we have for their server (DNS is managed by our Domain Controller). The DNAT rule says any internal traffic (10.1.0.0/21) using Any service going to the internal IP address we have for their server (10.1.130.x) should be changed to an IP on the customer's VPN address (i.e. 192.168.1.x).

We then have a static route saying all traffic for the customer's VPN network is to be routed to our public-facing router. I've then simply added our UTM onto the policies already established so the traffic should be passing from our router into the VPN tunnel. 

The only place I can think it's failing is the DNAT rule. I don't actually see anything in the log file that suggests the IP 10.1.130.x has changed to 192.168.1.x. And once the IP has been changed by the DNAT rule, do I need to do anything else to ensure it is forwarded to our public-facing router (like another firewall rule saying to allow traffic from 192.168.1.x to the public-facing router)? 

Below is a rough networking diagram to show the set-up. 

Any help would be greatly appreciated :) 

Regards,

Rob

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Rob,

    Before reading the complete question, can you please show us screenshots of the DNAT configuration. Also, verify that the traffic reaches the UTM.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi,

    Here's the DNAT screenshot (note: it has been edited to match the IPs of the original post as I didn't feel comfortable posting the true IPs).

    I can confirm the traffic does reach the UTM. 

    I've also run a tracert from the UTM and it seems the DNAT is working (running a tracert to 10.1.130.x). 

  • 0 in reply to TitanRob16

    Hi Rob,

    Unless the traffic doesn't reach UTM, none of the configuration will work. Check the routing configuration before taking any further steps on the UTM. Alongside, the DNAT configuration is incorrect, in the "for traffic from" it should be ANY or External IP address. In the "Going to"  it should be the WAN interface (address) generally External (address).

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • 0 in reply to TitanRob16

    Hi Rob,

    Unless the traffic doesn't reach UTM, none of the configuration will work. Check the routing configuration before taking any further steps on the UTM. Alongside, the DNAT configuration is incorrect, in the "for traffic from" it should be ANY or External IP address. In the "Going to"  it should be the WAN interface (address) generally External (address).

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
No Data
Unfiltered HTML