DMZ Hell

Hi All,

 

I have gotten to the point of actually posting for help. I am new to this but I assure you I have read multiple documents, posts and watched videos. Still I am so stuck.

 

Here it goes:

 

Sophos XG current build

Configure-Network

Port 1 LAN 192.168.1.254/255.255.255.0

Port 2 WAN  MY IP/255.255.255.224

Port 3 DMZ 192.168.2.254/255.255.255.0

Internal network works fine. Completely connected and monitoring.

As naked as can be to eliminate any rule conflicts.

 

Have a Windows Server 2019 connected to a switch and the switch is connected to port 3

 

DMZ Firewall Rule- DMZ Source: ANY Zone/Host Destination: DMZ/Any Host

                             Rewrite MASQ (192.168.2.254)

                             Primary Gateway DHCP Port 2

 

The rules check out in Policy Testing as accepted.

 

The server has no internet connection. I am able to access the 'localhost' on this server and the website pulls up fine. Firewall/anti virus OFF.

 

Configure-Routing

192.168.1.0/255.255.255.0 Port 1

192.168.2.0/255.255.255.0 Port 2

 

Network-DNS-DNS Host Entry

My Domain Name 192.168.2.1

www.my domain 192.168.2.1

 

DNS -Request Route-Target

My Web Server

 

WEB SERVER

192.168.2.1 Port 80

 

My Domain A is set to my IP address.

 

This is the current set up. If I ping My Domain I get 'Pinging 192.168.2.1 Reply from 192.168.2.254 Destination not reachable' from a computer on the LAN...currently

 

Ping from offsite computer I get: Pinging 'MY IP Address Request Timed Out'

 

This has to be easy for someone out there!

 

 

  • For let the server in dmz zone, create a dmz to wan with Nat enabled.

    For the dns, make sure your pcs are using XG as dns server or there is a conditional forwarding between your internal dns server to XG.

    Regards

  • In reply to lferrara:

    That was Fast!

     

    Added the DMZ To WAN as mentioned. No change  for connection to the server. Pings are the same. The server has nothing running for DNS. I gathered that XG would handle that so it was removed.

     

     

    Failed to mention in the first port I had this rule for WAN:

     

     

  • In reply to JAGER:

    Jager,

    You do not need the static routes as for the interfaces configured on XG are added automatically.

    For any ti dmz rule, you do not need nat enabled.

  • In reply to lferrara:

    Removed the static routing and made the change removing the NAT from the rule but nothing flowing yet:

     

  • In reply to JAGER:

    Use packet capture or tcpdump and post the output here

  • In reply to lferrara:

    Couple different captures. Redacted is MY IP:

     

    Working on a proper tcpdump..not sure what switches to do so I am researching.

     

    Did a port scan and the only open port is 443 for the client access. All else, blocked.

  • In reply to JAGER:

    Did a tcp dump for port 3 and got nothing.

    Tcpdump port 80 Red redacted MY IP:

     

    Is this helpful?

  • In reply to JAGER:

    Looking around further brings up another question that may relate to my issue. My ipv4 and gateway ip are slightly different. I assigned the website name to the ipv4 as this is what ithought was my ip address. Wouldn't I want to send traffic to the gateway ip so it routes properly?

  • In reply to JAGER:

    Jager, can you clarify?

    Also, can you upload a network map with ports, ips and default gateways?

    Thanks

  • In reply to lferrara:

    It usually something simple:

     

    This issue was resolved by adding a DHCP server for the DMZ.