This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problems setting up NAT to be able to access an internal server from the internet

Hi all,

 

I am new to Sophos UTM and I have some problems setting up NAT to be able to access an internal server from the internet.

 

Here is my setup :

 

Internet è DSL provider Modem è Sophos UTM è Layer 2 LAN switch è Web server

 

DSL Provider Modem :

 

WAN Interface : Internet Public IP : xxx.xxx.xxx.xxx

LAN Interface : 192.168.1.1

Port forwarding from xxx.xxx.xxx.xxx port 2222 to 192.168.1.254 port 2222 (192.168.1.254 is Sophos UTM Eth0 (WAN Interface))

 

Sophos UTM :

 

Eth0 (WAN) : 192.168.1.254

Eth1 (LAN) : 10.10.10.254

NAT Rule : ???

 

Web Server :

 

LAN Interface : 10.10.10.254

Listening on port 22 (SSH)

 

I have tried all kind of DNAT & Full NAT rules without any success. Is it because my DSL modem is doing port forwarding (same as NAT) and I am trying to do again NAT on Sophos UTM ?

When I do an SSH using Putty on xxx.xxx.xxx.xxx:2222 I never get an answer.

When I do a port scan on my public IP xxx.xxx.xxx.xxx the port is not open.

 

Any help would be very appreciated.

Thank you all in advance for your support

 

Alain.



This thread was automatically locked due to age.
  • Hello Alain,

     

    You need to have.

     

    DNAT: Source WAN, Service 22 Destination WAN Interfaces

    You need to either create an automatic or manual firewall rule for this.

    If you have another device you need to configure that device in front of it depending on configuration you need to be sure the traffics arrives at the utm.

    i would recommend you not using one of the well known Ports like 22 for this because my experience is that you get a ton of request from the WAN side on 22.

     

    Regards Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

  • Hello Jason,

     

    Thx a lot for your reply.

    However there is something I don't understand in your reply.

    You say I need to have DNAT: Source WAN, Service 22 Destination WAN Interfaces.

    This is my setup :

     

     

    In my setup I have incoming packets from the public IP on port 2222 that are forwarded in my DSL provider modem to the WAN interface (192.168.1.254) of the UTM also on port 2222.

    So my logic was to have this on the UTM :

     

    DNAT matching condition :

    For traffic from : any

    Using service : tcp/2222

    Going to : UTM WAN Interface (192.168.1.254)

     

    Action :

    Change the destination to : 10.10.10.250 (my web server)

    And the service to : tcp/22

     

    Automatic firewall rule": option checked

     

  • Salut Alain and welcome to the UTM Community!

    Please show a picture of the Edit of one of the NAT rules that's not working.  Also, confirm that the host object for the new destination doesn't violate #3 in Rulz.

    You ill be much better off if you can bridge the ISP's modem so that you can get a public IP on the UTM and won't have to fight the modem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you Bob.

    My ISP is only giving me 1 DHCP public IP changing every 5 days, so I need to connect the UTM behind the ISPs modem.

    Here is a picture of the DNAT rule :

    And the definition of the destination object (my L2 switch)

    And the definition of the services :

    Definition of my WAN interface (Eth0) :

    Definition of my LAN interface (Eth1) which is the default GW of my L2 switch:

    I also have a masquerading rule on my LAN interface LAN2 :

  • Bob,

     

    If I look at the life logs, I can see that the packets are dropped bu UTM :

    This means my ISP modem is doing his job and forwarding the packets to the UTM on port 2222.

  • Bob,

     

    I have found the issue.

     

    I found this in the firewall logs :

     

    2018:11:02-14:56:59 chauvaux_fw ulogd[13445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="c4:ea:1d:e8:77:30" dstmac="00:0e:c4:d5:7c:fb" srcip="37.185.131.252" dstip="192.168.1.254" proto="6" length="60" tos="0x18" prec="0x20" ttl="249" srcport="14700" dstport="2222" tcpflags="SYN" 
    2018:11:02-14:57:02 chauvaux_fw ulogd[13445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="c4:ea:1d:e8:77:30" dstmac="00:0e:c4:d5:7c:fb" srcip="37.185.131.252" dstip="192.168.1.254" proto="6" length="60" tos="0x18" prec="0x20" ttl="249" srcport="14700" dstport="2222" tcpflags="SYN" 
    2018:11:02-14:57:05 chauvaux_fw ulogd[13445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="c4:ea:1d:e8:77:30" dstmac="00:0e:c4:d5:7c:fb" srcip="37.185.131.252" dstip="192.168.1.254" proto="6" length="48" tos="0x18" prec="0x20" ttl="249" srcport="14700" dstport="2222" tcpflags="SYN" 



    I then changed my service definition from :



    To :


    Because the originating port on the client computer accessing my L2 switch in the LAN from the internet is generated randomly and is not 2222.

    Now it is working fine :

    2018:11:02-15:10:20 chauvaux_fw ulogd[13445]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3000000003" initf="eth0" outitf="eth1" srcmac="c4:ea:1d:e8:77:30" dstmac="00:0e:c4:d5:7c:fb" srcip="37.185.131.252" dstip="10.10.10.250" proto="6" length="60" tos="0x18" prec="0x20" ttl="248" srcport="15076" dstport="22" tcpflags="SYN" 
    2018:11:02-15:11:00 chauvaux_fw ulogd[13445]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="eth0" srcmac="c4:ea:1d:e8:77:30" dstmac="00:0e:c4:d5:7c:fb" srcip="37.185.131.252" dstip="192.168.1.254" proto="6" length="60" tos="0x18" prec="0x20" ttl="249" srcport="15082" dstport="2222" tcpflags="SYN" 



  • Précisement, Alain!  As I read through your configurations, I saw that you had incorrect source ports.  Your instinct to check the firewall log was correct.  You might check #2 in Rulz for other tips on future problem solving in UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA