This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS not working on UTM 9 on AWS

 Hello,

 

I have setup UTM 9 appliance on my AWS VPC with SSL remote access. VPN access is working fine but my AWS DNS times out when i connect over vpn. It does show the AWS DNS but it does not resolve anything. I have already added the AWS DNS  Remote Access >> Advanced >> DNS Server 10.3.0.2  and other options as well but i get timeout when connected over VPN following , i have exact same UTM configured this way and its works fine.

 

C:\Users\vneb>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 10.3.0.2

 

can anyone suggest what could be wrong , i m fine to give more info as required. 



This thread was automatically locked due to age.
Parents
  • Hi Vibhor,

    Create a NAT rule under Network Protection > NAT > NAT tab that SNATs the SSL VPN Pool to the AWS interface IP of the UTM. My limited understanding of AWS is that there are a whole raft of routing tables on the AWS virtual switch which means that unless you've configured those, they route off into the ether.

    So your SNAT rule would look like this:

    • Source: SSL VPN Pool
    • Service: Any
    • Destination: Any IPV4
    • Change Source to: Interface IP of UTM
    • Automatic Firewall rule: Yes

    Because the AWS switch knows where the UTM is, but not where your SSL VPN pool is so then the routing will go back to the UTM. Whereas currently what's happening is your traffic is going onto the AWS switch but the return traffic goes down the default gateway path which is not the UTM.

    I did that for my AWS UTM and it was all good, hope that works for you too!

    Emile

  • Hello,

     

    Thanks for the reply. I already had SNAT rule as follows  

    1. Rule Type: SNAT (source)

    2. For Traffic: Internet IPv4 

    3. Using Service: Any

    4. Going to: Internal Subnet (VPC Internal Subnet)

     

    Action

     

    Change the source to : Internal Address

    Add the service to:  blank

    Automatic Firewal rule: Checked on

     

    But it didnt work. 

     

    And i did create another SNAT rule as you mentioned with SSL VPN Pool as source and destination as IPv4 but it didnt help its still same the nslookup is still behaving the same and timeout 

     

     

    C:\Users\vneb>nslookup
    DNS request timed out.
    timeout was 2 seconds.
    Default Server: UnKnown
    Address: 10.3.0.2

  • Hi, Vibhor, and welcome to the UTM Community!

    Please show a picture of the Edit of the NAT rule suggested by Emile that did not work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  

     

    Hi Bob, 

     

    Attached are the screenshots of Firewall rules, NAT rules. Let me know in case more info is required.

     

    Thanks.

  • NAT #1 will have no effect and nothing like it is necessary.

    NAT #2 is what you want, but with a source translation of "External (Address)."  Instead of this SNAT, you could use a Masquerading rule: VPN Pool (SSL) -> External.

    Firewall rules #2 and #4 will have no effect and can be deleted.  If you selected 'Automatic firewall rules' in the SSL VPN Profile, #6 is redundant, otherwise, it's just what you need.

    If you still aren't getting the result you want, insert pictures of "Remote Access >> Advanced" and of 'Allowed Networks' in 'Network Services >> DNS'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob,

     

    It worked . I was using Masquerading rule earlier but with different subnet and the moment i changed it to VPN Pool (SSL) it started working. 

    And As you said i have removed Firewall rules #2 & #4 and have turned off the NAT rules as well and DNS on Remote Access is working fine.  

    And i have my DNS already listed in Remote Access >> Advanced tab and Internal Subnet in  'Allowed Networks' in 'Network Services >> DNS'.

     

    Just one more question .. Is it possible to have reverse DNS enabled from UTM or not. 

     

    Thanks a lot.  :) 

  • You might be interested in DNS Best Practice.  #3 through #5 in Rulz cover issues that often relate to routing problems.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    I just noticed that DNS has started working but my instances are not able to connect to internet via NAT and unable to download patches since i made the modifications earlier NAT was working but DNS not but now DNS is working but NAT stopped working :( 

     

    Thanks,

Reply
  • Hi Bob,

     

    I just noticed that DNS has started working but my instances are not able to connect to internet via NAT and unable to download patches since i made the modifications earlier NAT was working but DNS not but now DNS is working but NAT stopped working :( 

     

    Thanks,

Children
  • Try #1 in the Rulz link in my last post, Vibhor.  I bet you will see the issue in the Firewall Live Log, though.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to the problem you observe.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA