We'd love to hear about it! Click here to go to the product suggestion community
I have an internal web server that I can access from the internal network with no problems, but am getting a request timeout from outside of the network.
I have a DNAT rule set up to allow connections from a handful of IP addresses from HTTP service and forward them to the web server.
I can see that the traffic is getting through the UTM (reviewing the Firewall log) and being directed to the web server, but I still get a timeout error.
I have turned off the firewall on the web server (Win 2016 running IIS).
Wireshark on the web server reveals that the packets reach the web server, but then go into a re-transmission loop.
Can anyone shed some light on what's happening?
Thanks, SO MUCH!
first i would check the default gateway at the webserver.
In reply to dirkkotte:
Hey - thanks for your reply!
The default gateway is correct -- and a tracert to the external IP from which I'm trying to reach the web server completes with no issue.
In reply to Deb Smith1:
Possible the WebServer don't answer to external IP's.
You may use webserver-protection to publish the server or FULL-NAT (like DNAT but replace Source IP with sophos internal interface IP).
Hi Deb and welcome to the UTM Community!
I bet Dirk nailed it.
Cheers - Bob
In reply to BAlfson:
First - let me say that this community is TERRIFIC!
I tried to set up a full NAT rule as follows:
Traffic from: <the external IP I'm using for testing>
Using Service: Any
Going to: WAN (address)
Change destination to: Web Server
And the Service to: <blank -- since I'm coming in via web service (port 80) I didn't think I had to set this)
Change the source to: Internal (Address)
And the service to: <blank>
I also checked automatic firewall rule.
Now I can see the Wireshark traffic receive the packet from the internal address and send back to the internal address, but I will get a timeout error on the website.
I know I'm missing something simple!
Here's the thing: I only want to allow connections from a few IP addresses, or I'd set up the Webserver protection.
Any other thoughts?
If you check out #2 in Rulz (last updated 2019-04-17), you'll see that DNATs come before proxies like the WAF. Go ahead and configure WAF and then create the following two NAT rules in order:
The select IPs will be excepted from the DNAT and will pass through to Webserver Protection.
There's still something else going on, but I don't understand where you're seeing the timeout and what that message looks like.
First: thank you to everyone who suggested remedies for this issue.
Second: I wanted the post the resolution: the ISP was blocking port 80, despite the fact that the client had business level service. Once port 80 was opened, all was good using just the DNAT setup.
I have to say that I was so focused on seeing some traffic get thru the firewall that I didn't even think (initially) to verify that port 80 was open. Apparently "blocking port 80" really means destroying enough of the packet that the web server can't / won't reply.
Again - thanks to all who replied.