This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues while creating a hairpin NAT

Hi folks,

another post on my issues about creating a firewall hairpin nat rule.

I have an NTP server on my network and I want devices to use it as a reference time source. I know the device works when I change network devices to query it for time, they update correctly.

When I built my own firewall rule using a linked NAT rule there was lots of queries to the rule but nothing was returned.

So, I have decided to use the XG build a server access rule.

I think one of the questions in the create wizard is wrong

It asks for the external source networks and devices, but never asks for the internal networks. You can add your internal networks which I did.

Next issue is the reflexive rule automatically created does not use the required service as entered in previous pages, just uses ANY which allows all traffic to bypass the specific NAT and linked NAT rules. Again you can change it to the required service.

Next issue is the created firewall rule appears to be wrong.

Destination zone is LAN but the destination network is the external interface which is a WAN zone.

The result is the rule does not work.

I have tried creating a FQDN for the external internal access to the NTP, but there is nowhere to add it to the rule along with a number of other issues of trying to add another external url for the same address, the XG does not like it.

Please advise what is required to make the hairpin NAT work. I have read the KBA and followed that document and ended up with the above issues.

Ian

.



This thread was automatically locked due to age.
Parents
  • Hello rfcat_vk,

    Thank you for contacting the Sophos Community!

    Can you do a packet capture on the GUI, to see if the traffic is arriving and then what rule is being processed?

    As per the Firewall rule, I used the Wizard and got the correct WAN to WAN.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi EmmoSophos.

    None of the internal devices hit the firewall rules. Logviewer only shows the NTP server using the IPv6 rule allowing it out and one dumb device that breaks the country rules when it can't connect to the NTP server.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="PortE2" in_display_interface="LAN" out_interface="" out_display_interface="" src_mac="xxxxxxxx" dst_mac="" src_ip="192.168.x.x" src_country="" dst_ip="WAN IP" dst_country="DNK" protocol="TCP" src_port="64563" dst_port="32400" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • I found with the DNAT wizard I could setup access to the server from the internet but the server did not respond.

    Also I found that the translated details do not appear in the logviewer until you way the mouse over the lefthand side symbol and it shows whether translated and packets sent and received.

    I will try again the with DNAT wizard.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • You beat me to the post. That is not translating. I will see what I can test.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Same here, thanks, no post hijacking intended Stuck out tongue winking eye

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • Hi Martin,

    a total failure. In my limited understanding of NAT the firewall rule appears to be wrong. 

    You want a LAN to WAN rule for the server, then you want the external access then you need the internal people to access it via the external interface and that is not what I am seeing in the DNAT wizard setup.

    My testing is limited at the moment because I deleted the Dyndns entry for my NTP server so there was no incoming traffic. I need to re-create it and start testing again but building my own NAT rules.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    Was just on with support, we did create new DNAT rule with the assistant, this assistance crated:

    - FW rule

    - DNAT

    - Reflex NAT

    - Loopback NAT

    As we have seen every time, but what he did, was to edit the newly created firewall rule, and add the zone (Only WAN was there in the bginning) where FROM you ALSO want to access the traffic, in my case LAN, as the server was also on the LAN in my lab:

    And then it worked!!

    can you try?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • tricky, undocumented feature.

    Will do later tonight depending on my wife and my exclusive use of the XG.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yup - no need for a auto created loopback rule, when it's not working :-)

    Better leave the XG behind......

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

  • So far absolutely useless, no traffic at all. Like you my server is only LAN.

    Not only that. the addition made no changes to the NAT rules.

    So in summary a major fail.

    Ian

    I am seeing UDP flood due to the firewall rule failure.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • So I tested in production today, nothing worked. BUT if I setup a webserver on my laptop, create the rules, everything works.

    When I then create the same rule, but point to the org webserver (We where on DMZ both of us), nothing works, except traffic from outside can pass, but loopback broken and log floating with:

    messageid="00005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" con_duration="0" fw_rule_id="12" nat_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="PortE2" in_display_interface="DMZ" out_interface="" out_display_interface="" src_mac="xx:xx:xx:xx:xx:xx" dst_mac="" src_ip="x.x.x.x" src_country="" dst_ip="wanip" dst_country="DNK" protocol="ICMP" icmp_type="12731" icmp_code="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="" dst_zone="" con_direction="" con_event="Interim" con_id="1083932784" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    Sophos XG Firewall: How the ICMP error messages works and how to allow or deny it

    Have read this, but the code provided does not make sense, have opened a supportcase again :-O

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

Reply
  • So I tested in production today, nothing worked. BUT if I setup a webserver on my laptop, create the rules, everything works.

    When I then create the same rule, but point to the org webserver (We where on DMZ both of us), nothing works, except traffic from outside can pass, but loopback broken and log floating with:

    messageid="00005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" con_duration="0" fw_rule_id="12" nat_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="PortE2" in_display_interface="DMZ" out_interface="" out_display_interface="" src_mac="xx:xx:xx:xx:xx:xx" dst_mac="" src_ip="x.x.x.x" src_country="" dst_ip="wanip" dst_country="DNK" protocol="ICMP" icmp_type="12731" icmp_code="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="DMZ" src_zone="DMZ" dst_zone_type="" dst_zone="" con_direction="" con_event="Interim" con_id="1083932784" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

    Sophos XG Firewall: How the ICMP error messages works and how to allow or deny it

    Have read this, but the code provided does not make sense, have opened a supportcase again :-O

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect

Children
No Data