Port forwarding on some ports just not working XG135W

I have a customer with an XG135W SFOS 17.0.6 MR-6 and they need port forwarding set up.

 

Very simple, in fact it couldn't be more simple. Port 4235 needs to go to one of their servers.

 

So far:

Checked on the internal LAN that the port is open on the receiving machine - telnet 192.168.x.x 4235 Connection is fine

 

But from an external address it does not reply to telnet <WAN IP> 4235

 

If I get rid of the mapped service and set that to ANY, I can make this telnet connection.

 

Also, if I search my logs for any connections to 4235 it finds nothing, so troubleshooting is impossible.

 

Set up DNAT rule. 

Source Zone: WAN (also tried ANY)

Allowed Client Networks: ANY

Blocked Client Networks: None

 

Destination Host: WAN PORT

Services: TCP Source 4235, Destination 4235

 

Forward to

Protected Server: Internal server IP

Protected Zone: LAN

Change Destination: unticked

 

Advanced:

IP: None

TS: None

No Restrictions

Unticked Rewrite source address, Create Reflexive rule

 

Log Traffic Ticked.

 

-----------------------------------------------

 

 

 

I've been on this for hours, and frankly am starting to look useless in front of my client and this really should be a five minute job (Cisco Accredited engineer). I was thinking of moving my customers to Sophos but on what I've seen so far it's over complicated and buggy. Have also replicated the same problem on a spare XG210 I have in the office.

I'd really appreciate some quick help with this this morning.

  • This is solved through Sophos Support and I shall update this case in the hope it saves someone else the waste of time I've had.

    In the Service that I set up for the port 4235.

    Source Port is *

    Destination Port is 4235

     

    This seems completely wrong to me, but that's how it works.

    Hope that helps.

  • In reply to Neil Lough:

    This Sir has been a GOD SEND!... I am just testing out SOPHOS and have encountered many ISSUES to SIMPLE configuration request and shitty documentation. 
    I agree with your premise that his setup makes no sense, but when has that ever stopped anyone.

    Thank you again!