Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 39 subscribers
  • Views 21650 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG v17 DNAT and Port Forward issue

Matt2017

I have just migrated from the Sophos SG series and I'm trying to replicate some of the WAF rules/DNAT, but i am having an issue with forwarding to internal port from http/https.

Basically I have a web server running on port 4477 internally. I am trying to redirect http/https traffic with DNAT to the internal server on port 4477.

I created an alias interface on the WAN port with the external IP for the web server. I then created a Business Application Rule with source zones as LAN and WAN, ANY Client networks, nothing blocked.

The destination Host/Network is the #Port2:0-1.1.1.1 (The external IP that I assigned as an alias interface). For services I have currently have http selected.

Under Forward To, Protected Server(s) is the internal Web Server with Protected Zone as LAN. I selected "Change Destination Port" and put 4477 in the Mapped Port.

I have not configured any Advanced settings.

 

When I connect internally, I get the IIS windows Server splash page, and when i connect externally, I can't get the page to load at all. 

Any help is appreciated.



This thread was automatically locked due to age.
  • 0

    Hi,

     

    can you give us some screenshots of the Alias, Business Policy Rule and maybe the tcpdump?

     

    Cheers

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Firewall DNAT Settings

    Web Server Settings

    Interface Alias (Which current has the External IP in a different Subnet, but I tried both the correct subnet and a /32 with the same results)

     

    Here are the screen shots of the configs

  • 0 in reply to Matt2017

    Matt2017,

    the Alis IP must be in the same subnet. Also, try to create a different firewall rule, one for LAN to WAN and another one from WAN TO LAN. On the port, you need to select the WAN IP and on the server the internal IP and not public IP as you obfuscated it.

    Regards

  • FormerMember
    0 FormerMember in reply to Matt2017

    Hi,

    I would request you to check one small thing regarding this issue.

    As it's working internally, can you please check whether -- " Is the Gateway IP address of that Internal Web server to be the XG firewall's IP address? ".

    If not, then in that DNAT rule, please navigate to 'Advanced Settings > Routing' and " Enable 'Masquerading' with 'Default MASQ' " and " Enable Create Reflexive Rule " & try again.

    Please just give a try with above steps as it might help you.

    Also, confirm in the "Diagnostics > Packet Capture" that your request packets are reaching the firewall or not.

    If not, then please check with ISP that the Inbound HTTP/HTTPS ports are allowed and not blocked by them.

    Cheers J

  • 0 in reply to lferrara

    I changed the alias to the correct subnet now, no change. Also, on the alias port it is the external IP for that webserver. The internal webserver is also pointing to the internal private IP with the port that it runs off (4477). 

    I'm not sure I understand what you mean by creating two firewall rules though.

    Are you saying create a firewall DNAT rule with Source Zone LAN and the destination Host/Network would be the private IP of the web server and another rule that would be with Source Zone WAN and Destination Host/Network the public IP on the alias interface with Services HTTP/HTTPS to then Forward to Protected Server and have the internal IP/Web server selected? Do i need to have anything in the "Mapped Port" section if I already configured the Web Server to have the port of 4477?

  • 0 in reply to lferrara

    This should be the issue.

    On UTM you "should" use /32 for Alias Interface but on XG, they won´t work.

     

    Cheers

    __________________________________________________________________________________________________________________

  • 0 in reply to FormerMember

    Unfortunately, it is not working internally. I get the Windows IIS splash page as if it is not port forwarding correctly. I thought the reflexive rule was if the web server was going to initiate outbound connections?

  • FormerMember
    0 FormerMember in reply to Matt2017

    Hi,

    If it's not working internally, then I don't think it would work externally. Would request you to troubleshoot and make it work internally, and then try about it externally with just enabling Masquerading. Also, confirm in the "Diagnostics > Packet Capture" that your request packets are reaching the firewall or not. 

    Yes, the Reflexive rule is used if the web server was going to initiate the outbound connections. You can keep it disabled if you are not going to initiate the outbound connections from the server. 

    Cheers J

  • 0 in reply to FormerMember

    When I say not working internally. I mean relatively not working. If I go to my webserver (e.g. my.webserver.com:4477) I can get to it just fine minus the certificate issue (with the firewall DNAT in place)

     

    Previously on my SG 

    I had a Real webserver which was the internal server on port 4477. I used the WAF Virtual server to port forward. How do I do this on the XG?

  • FormerMember
    0 FormerMember in reply to Matt2017

    Hi,

    So, when you are trying to access the web server on XG's Public IP address, from an internal machine and it's not working, that's what you meant correct? (eg. http://XG_Public_IP from the internal network)  

    I mean indirectly either from LAN or WAN through XG's DNAT it's not working, correct?

    If so, then in the DNAT, I would advise enabling Masquerading which will make it Full-NAT, then it might start working after that. 

    The main reason for enabling MASQ on XG is that XG applies stateful inspection on internal traffic too, so might be possible that when you are accessing it from the internal network it may be getting dropped due to 'Asymmetric Routing' scenario.

    >>Regarding WAF, please refer Sophos Firewall: WAF configuration guide. I think the real web server on UTM, is the 'Web server' on XG as shown in this referred article. Over there you may set the port 4477 in web server config and try. And in the actual WAF rule the "Listening Port" should be the port entered in "Virtual Web server" of UTM.

    Cheers.

Unfiltered HTML