Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
I have gotten to the point of actually posting for help. I am new to this but I assure you I have read multiple documents, posts and watched videos. Still I am so stuck.
Here it goes:
Sophos XG current build
Port 1 LAN 192.168.1.254/255.255.255.0
Port 2 WAN MY IP/255.255.255.224
Port 3 DMZ 192.168.2.254/255.255.255.0
Internal network works fine. Completely connected and monitoring.
As naked as can be to eliminate any rule conflicts.
Have a Windows Server 2019 connected to a switch and the switch is connected to port 3
DMZ Firewall Rule- DMZ Source: ANY Zone/Host Destination: DMZ/Any Host
Rewrite MASQ (192.168.2.254)
Primary Gateway DHCP Port 2
The rules check out in Policy Testing as accepted.
The server has no internet connection. I am able to access the 'localhost' on this server and the website pulls up fine. Firewall/anti virus OFF.
192.168.1.0/255.255.255.0 Port 1
192.168.2.0/255.255.255.0 Port 2
Network-DNS-DNS Host Entry
My Domain Name 192.168.2.1
www.my domain 192.168.2.1
DNS -Request Route-Target
My Web Server
192.168.2.1 Port 80
My Domain A is set to my IP address.
This is the current set up. If I ping My Domain I get 'Pinging 192.168.2.1 Reply from 192.168.2.254 Destination not reachable' from a computer on the LAN...currently
Ping from offsite computer I get: Pinging 'MY IP Address Request Timed Out'
This has to be easy for someone out there!
For let the server in dmz zone, create a dmz to wan with Nat enabled.
For the dns, make sure your pcs are using XG as dns server or there is a conditional forwarding between your internal dns server to XG.
In reply to lferrara:
That was Fast!
Added the DMZ To WAN as mentioned. No change for connection to the server. Pings are the same. The server has nothing running for DNS. I gathered that XG would handle that so it was removed.
Failed to mention in the first port I had this rule for WAN:
In reply to JAGER:
You do not need the static routes as for the interfaces configured on XG are added automatically.
For any ti dmz rule, you do not need nat enabled.
Removed the static routing and made the change removing the NAT from the rule but nothing flowing yet:
Use packet capture or tcpdump and post the output here
Couple different captures. Redacted is MY IP:
Working on a proper tcpdump..not sure what switches to do so I am researching.
Did a port scan and the only open port is 443 for the client access. All else, blocked.
Did a tcp dump for port 3 and got nothing.
Tcpdump port 80 Red redacted MY IP:
Is this helpful?
Looking around further brings up another question that may relate to my issue. My ipv4 and gateway ip are slightly different. I assigned the website name to the ipv4 as this is what ithought was my ip address. Wouldn't I want to send traffic to the gateway ip so it routes properly?
Jager, can you clarify?
Also, can you upload a network map with ports, ips and default gateways?
It usually something simple:
This issue was resolved by adding a DHCP server for the DMZ.