This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos - Stop internal back routing

Hello, 

we are using a Sophos SG 230 in our datacenter. We have around 50 different networks connected (Most of them via VLAN), also a few external addresses, that are NATed to internal DMZ servers. 

The problem I'm facing is the following... Let's say we have a client subnet, 192.168.0.0/24 and a DMZ subnet, 192.168.150.0/24. There is a ftp server with 192.168.150.10 as ip address and a client with ip address 192.168.0.30. There is also an external ip adress, let's say 1.2.3.4 for example. There is a DNAT rule (anything to 1.2.3.4 is changed to 192.168.150.10) and there is also a masquerading rule (192.168.150.10 always uses 1.2.3.4 towards the internet). 

 

If I try to access the ftp server via external address from my internal client, I can see in the logfile that the server tries to answer internally: 

1. Establishing a ftp connection from 192.168.0.30 to 1.2.3.4

2. Connection comes up, login successfully 

3. 192.168.150.10 tries to send the passive port range to 192.168.0.30 and fails because of firewall rules 

 

This happens not only with ftp connection, but also with every other connection. In the past, I helped myself by adding a SNAT rule, but I think this can't be the final solution. We have around 100 public ip addresses, I can't add a SNAT rule for every single network that tries to access one of these public ip addresses. 

Anyone has a solution to this? I want the SG to treat my "internal client" just like a generic client from the internet. 

 

Greetings



This thread was automatically locked due to age.
Parents Reply Children
No Data