Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 39 subscribers
  • Views 21652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG v17 DNAT and Port Forward issue

Matt2017

I have just migrated from the Sophos SG series and I'm trying to replicate some of the WAF rules/DNAT, but i am having an issue with forwarding to internal port from http/https.

Basically I have a web server running on port 4477 internally. I am trying to redirect http/https traffic with DNAT to the internal server on port 4477.

I created an alias interface on the WAN port with the external IP for the web server. I then created a Business Application Rule with source zones as LAN and WAN, ANY Client networks, nothing blocked.

The destination Host/Network is the #Port2:0-1.1.1.1 (The external IP that I assigned as an alias interface). For services I have currently have http selected.

Under Forward To, Protected Server(s) is the internal Web Server with Protected Zone as LAN. I selected "Change Destination Port" and put 4477 in the Mapped Port.

I have not configured any Advanced settings.

 

When I connect internally, I get the IIS windows Server splash page, and when i connect externally, I can't get the page to load at all. 

Any help is appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

     

    can you give us some screenshots of the Alias, Business Policy Rule and maybe the tcpdump?

     

    Cheers

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Firewall DNAT Settings

    Web Server Settings

    Interface Alias (Which current has the External IP in a different Subnet, but I tried both the correct subnet and a /32 with the same results)

     

    Here are the screen shots of the configs

  • 0 in reply to Matt2017

    Matt2017,

    the Alis IP must be in the same subnet. Also, try to create a different firewall rule, one for LAN to WAN and another one from WAN TO LAN. On the port, you need to select the WAN IP and on the server the internal IP and not public IP as you obfuscated it.

    Regards

  • FormerMember
    0 FormerMember in reply to Matt2017

    Hi,

    I would request you to check one small thing regarding this issue.

    As it's working internally, can you please check whether -- " Is the Gateway IP address of that Internal Web server to be the XG firewall's IP address? ".

    If not, then in that DNAT rule, please navigate to 'Advanced Settings > Routing' and " Enable 'Masquerading' with 'Default MASQ' " and " Enable Create Reflexive Rule " & try again.

    Please just give a try with above steps as it might help you.

    Also, confirm in the "Diagnostics > Packet Capture" that your request packets are reaching the firewall or not.

    If not, then please check with ISP that the Inbound HTTP/HTTPS ports are allowed and not blocked by them.

    Cheers J

  • 0 in reply to lferrara

    I changed the alias to the correct subnet now, no change. Also, on the alias port it is the external IP for that webserver. The internal webserver is also pointing to the internal private IP with the port that it runs off (4477). 

    I'm not sure I understand what you mean by creating two firewall rules though.

    Are you saying create a firewall DNAT rule with Source Zone LAN and the destination Host/Network would be the private IP of the web server and another rule that would be with Source Zone WAN and Destination Host/Network the public IP on the alias interface with Services HTTP/HTTPS to then Forward to Protected Server and have the internal IP/Web server selected? Do i need to have anything in the "Mapped Port" section if I already configured the Web Server to have the port of 4477?

  • 0 in reply to lferrara

    This should be the issue.

    On UTM you "should" use /32 for Alias Interface but on XG, they won´t work.

     

    Cheers

    __________________________________________________________________________________________________________________

Reply Children
No Data
Unfiltered HTML