Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Full NAT for device accessed via VPN Site-to Site

Hello people,
 
I created an incoming firewall rule, Full NAT, forwarding traffic arriving on TCP port 37777 on a public IP alias, to a DVR device that is in a branch office, connected to the main office via IPSEC VPN site-to-site with Sophos XG and pfSense, the VPN tunnel is online and the computers that are on the pfSense network, browse the inernet passing through the tunnel, exiting the Sophos XG WAN.
 
The Full NAT rule is not working, packets are not arriving at the DVR equipment that is at the branch office.
 
Does anyone have any ideas ?



This thread was automatically locked due to age.
Parents
  • Hi  

    Please make sure that DVR IP address is added in the Remote Subnet at the XG IPsec configuration and Local Subnet at pfsense in IPsec configuration

    VPN to LAN and LAN to VPN

    WAN to VPN and VPN to WAN firewall rules should be configured 

    Please verify with the packet capture - https://community.sophos.com/kb/en-us/123189

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Yes, the networks are declared in the tunnel, local and remote network at each end.


    For example, the computers on both networks communicate with each other and the computers on the pfSense network are able to browse the internet, passing through the tunnel, arriving at the XG WAN interface.

  • Hi  

    Thank you for the information, could you please use the packet capture and capture the traffic for DVR IP using string host DVR IP address. Please initiate the traffic and see if the traffic is sending out from the IPsec tunnel or not.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • In addition:

    A tcpdump output from the console or advanced shell.

    Thanks

  • I used tcpdump, it seems to me that the packets are being forwarded in the correct way, even so the DVR does not respond, maybe it is turned off, or it does not have the gateway configured correctly to be able to answer requests, I will ask the Customer support check it out.

    Below the result of tcpdump, what do you think?

     

    05:19:36.944039 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2034, length 40
    05:19:41.651678 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2035, length 40
    05:19:46.650094 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2036, length 40
    05:19:51.664565 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2037, length 40
    05:19:56.663421 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2038, length 40
    05:20:01.662290 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2039, length 40
    05:20:06.662012 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2040, length 40
    05:20:11.660749 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2041, length 40
    05:20:16.659018 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2042, length 40
    05:20:21.655925 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2043, length 40
    05:20:26.656046 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2044, length 40
    05:20:31.654816 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2045, length 40
    05:20:32.127968 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:33.140875 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:35.147356 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:36.658909 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2046, length 40
    05:20:39.155631 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:41.663703 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2047, length 40
    05:20:46.663806 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2048, length 40
    05:20:47.158784 Port7, OUT: IP My public ip here at work.65484 > DVR LAN IP.37777: Flags , seq 1367773775, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:51.654851 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2049, length 40
    05:20:53.165413 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:54.174684 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:56.181022 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:20:56.659622 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2050, length 40
    05:21:00.193390 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:01.665507 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2051, length 40
    05:21:06.664653 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2052, length 40
    05:21:08.195919 Port2, OUT: IP My public ip here at work.65486 > DVR LAN IP.37777: Flags , seq 4261367662, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:11.662344 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2053, length 40
    05:21:14.209219 Port7, OUT: IP My public ip here at work.65488 > DVR LAN IP.37777: Flags , seq 1435340121, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:15.220604 Port7, OUT: IP My public ip here at work.65488 > DVR LAN IP.37777: Flags , seq 1435340121, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    05:21:16.658735 Port7, OUT: IP My public ip here at work > DVR LAN IP: ICMP echo request, id 60417, seq 2054, length 40
    05:21:17.233365 Port7, OUT: IP My public ip here at work.65488 > DVR LAN IP.37777: Flags , seq 1435340121, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

  • Correct!

    Traffic from XG is forwarded to the DVR device but it never gets back. Check the default gateway on the DVR device.

    Alternative, try to ping a device on the same lan where the DVR is placed and check if you get ping reply.

    Using traceroute on the remote pc is possible. This sort of command are not available, most of the time, on DVR devices.

    Regards

Reply
  • Correct!

    Traffic from XG is forwarded to the DVR device but it never gets back. Check the default gateway on the DVR device.

    Alternative, try to ping a device on the same lan where the DVR is placed and check if you get ping reply.

    Using traceroute on the remote pc is possible. This sort of command are not available, most of the time, on DVR devices.

    Regards

Children