This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT Problems on MR-5

I've a simple configuration on XG86, Just a rule for navigation and a DNAT. If i try to reach the exposed service fails, my log say that fw rule and nat rule is correct but still reach the service. No strange routers or double nats.

Any suggestions?

Thanks a lot

Sorry for my bad English

This thread was automatically locked due to age.

Top Replies

FormerMember over 2 years ago in reply to David Moro +3 verified

Assuming matching NAT ID: 1 and firewall rule ID: 2 are correct. As per the packet flow, the traffic is being forwarded to internal server 10.1.1.10 for destination port 8080, but there’s no reply coming…

Parents

0 LuCar Toni over 2 years ago

Can you show screenshots of both?

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 David Moro over 2 years ago in reply to LuCar Toni
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to David Moro

I have the strong feeling, your Service is causing this issue. Double check the service, if it actually match.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 2 years ago in reply to David Moro
Hi David Moro,

Would it be possible for you to run a packet capture on the destination IP address from the Diagnostics > Packet Capture and share a screenshot with us?

Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to LuCar Toni

Hi,

shouldn't the destination in the NAT be a network not an xg interface (one IP address)?

ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to rfcat_vk

Thats perfectly fine. The DNAT will hit the WAN IP, you want to translate to a IP behind XG.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 David Moro over 2 years ago in reply to LuCar Toni

Yes.... but if i try to reach the exposed service it'll not work
Cancel
Vote Up 0 Vote Down

Cancel
0 David Moro over 2 years ago in reply to rfcat_vk

Also with network don't work :D
Cancel
Vote Up 0 Vote Down

Cancel
0 David Moro over 2 years ago in reply to FormerMember

Red= Firewall public ip..... Black= public ip that is trying to reach the exposed service

10.1.1.10 = internal server ip natted externally
Cancel
Vote Up 0 Vote Down

Cancel
+1 FormerMember over 2 years ago in reply to David Moro

Assuming matching NAT ID: 1 and firewall rule ID: 2 are correct.

As per the packet flow, the traffic is being forwarded to internal server 10.1.1.10 for destination port 8080, but there’s no reply coming back.

I'd suggest try applying SNAT as the default MASQ and check whether the server is accessible publicly or not.
Cancel
Vote Up +3 Vote Down

Cancel
0 David Moro over 2 years ago in reply to FormerMember

This is the default MASQ for all hosts
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 David Moro over 2 years ago in reply to FormerMember

This is the default MASQ for all hosts
Cancel
Vote Up 0 Vote Down

Cancel

Children

+1 FormerMember over 2 years ago in reply to David Moro

Please apply SNAT as MASQ in NAT rule ID:1 (DNAT rule configured for 10.1.1.10).
Cancel
Vote Up +1 Vote Down

Cancel
0 David Moro over 2 years ago in reply to FormerMember

With MASQ it works fine... why does it need MASQ in SNAT?
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 2 years ago in reply to David Moro

If you apply SNAT as MASQ, then the source IP in the incoming request will be translated with an outgoing interface IP address. As per your environment, the source IP will be translated to Port1 interface IP.

With SNAT as original, Sophos Firewall forwards the original source IP address(public IP of client) to the translated destination(10.1.1.10).

As I mentioned earlier, traffic was getting forwarded by Sophos Firewall to the destination server 10.1.1.10, but there was no reply coming back.

Further, you can run a packet capture on 10.1.1.10 server and check whether it responds to requests coming with public IP or not.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Nafets over 2 years ago in reply to David Moro

Maybe the system you NAT to has no default gateway configured and so the traffic to requesting WAN client is not routed back. Stumbled over that a few times.
Cancel
Vote Up +2 Vote Down

Cancel