Access to Internal Web Server

I have an internal web server that I can access from the internal network with no problems, but am getting a request timeout from outside of the network.

I have a DNAT rule set up to allow connections from a handful of IP addresses from HTTP service and forward them to the web server.

I can see that the traffic is getting through the UTM (reviewing the Firewall log) and being directed to the web server, but I still get a timeout error.

I have turned off the firewall on the web server (Win 2016 running IIS).

Wireshark on the web server reveals that the packets reach the web server, but then go into a re-transmission loop.

Can anyone shed some light on what's happening?

Thanks, SO MUCH!

  • Hi,

    first i would check the default gateway at the webserver.

  • In reply to dirkkotte:

    Hey - thanks for your reply!

    The default gateway is correct -- and a tracert to the external IP from which I'm trying to reach the web server completes with no issue.

  • In reply to Deb Smith1:

    Possible the WebServer don't answer to external IP's.

    You may use webserver-protection to publish the server or FULL-NAT (like DNAT but replace Source IP with sophos internal interface IP).

  • In reply to Deb Smith1:

    Hi Deb and welcome to the UTM Community!

    I bet Dirk nailed it.

    Cheers - Bob

  • In reply to BAlfson:

    First - let me say that this community is TERRIFIC!

    I tried to set up a full NAT rule as follows:


    Traffic from: <the external IP I'm using for testing>

    Using Service: Any

    Going to: WAN (address)

    Change destination to:  Web Server

    And the Service to: <blank -- since I'm coming in via web service (port 80) I didn't think I had to set this)

    Change the source to: Internal (Address)

    And the service to: <blank>

    I also checked automatic firewall rule.


    Now I can see the Wireshark traffic receive the packet from the internal address and send back to the internal address, but I will get a timeout error on the website.

    I know I'm missing something simple!


    Here's the thing:  I only want to allow connections from a few IP addresses, or I'd set up the Webserver protection.


    Any other thoughts?

  • In reply to Deb Smith1:

    If you check out #2 in Rulz (last updated 2019-04-17), you'll see that DNATs come before proxies like the WAF.  Go ahead and configure WAF and then create the following two NAT rules in order:

    1. NoNAT : {a few IP addresses} -> HTTP -> WAN (Address)
    2. DNAT : Internet -> HTTP -> (WAN Address) : to {}

    The select IPs will be excepted from the DNAT and will pass through to Webserver Protection.

    There's still something else going on, but I don't understand where you're seeing the timeout and what that message looks like.

    Cheers - Bob

  • In reply to BAlfson:

    First: thank you to everyone who suggested remedies for this issue.

    Second:  I wanted the post the resolution:  the ISP was blocking port 80, despite the fact that the client had business level service.  Once port 80 was opened, all was good using just the DNAT setup.  

    I have to say that I was so focused on seeing some traffic get thru the firewall that I didn't even think (initially) to verify that port 80 was open.  Apparently "blocking port 80" really means destroying enough of the packet that the web server can't / won't reply.

    Again - thanks to all who replied.