Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 3024 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT on XGS (SFOS 18.5.1 MR-1-Build326) what on earth have a got wrong?

Barry Smith3

I have followed the video guide for DNAT on https://www.sophos.com/en-us/support/products/xg-firewall/how-to-library.aspx#NetworkConfiguration

But inbound packets are being dropped even though I'm pretty sure everything is correct.  There is no alias involved so the DNAT should be traffic on TCP 444 from the WAN to #port3 is forwarded to an internal host called "pth-idr"

The firewall rule is:

The DNAT rule is:

Service is setup as:

I have to use the console to view the drop logs but when filtered to the source host on the internet it shows the packets are being dropped...

2021-12-01 12:31:07 0103021 IP <source IP>.51995 > <destination IP>.444 : proto TCP: S 1720371234:1720371234(0) win 64240 checksum : 57340
0x0000: 4500 0034 788b 4000 7306 f69a a7b3 81b9 E..4x.@.s.......
0x0010: 31ff 3d32 cb1b 01bc 668a c822 0000 0000 1.=2....f.."....
0x0020: 8002 faf0 dffc 0000 0204 05b4 0103 0308 ................
0x0030: 0101 0402 ....
Date=2021-12-01 Time=12:31:07 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port3 out_dev= inzone_id=2 outzone_id=4 source_mac=<Source MAC> dest_mac=<destination MAC> bridge_name= l3_protocol=IPv4 source_ip=<Source IP> dest_ip=<Destination  IP>l4_protocol=TCP source_port=51995 dest_port=444 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8003 nfqueue=0 gateway_offset=0 connid=2989602752 masterid=0 status=256 state=1, flag0=824635817984 flags1=17179869184 pbdid_dir0=0 pbrid_dir1=0

Anyone have any ideas?

Many thanks in advance.

Barry



This thread was automatically locked due to age.
  • 0

    Hi,

    I would suggest you change PORT#3 to the network associated to ports#3.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks - you can't use a Zone as this is DNAT, it requires a specific IP for the destination.

    I have tried creating a network host with the specific destination IP and putting that in place of #Port3 but that doesn't work either.

  • 0

    not sure what the situation is exactly, but I have one question and one suggesting:

    1. Are you redirecting the port to 443 (the default of rds) ?

    2. UTFW: As we used to say in 2000, when ms created the sbs, use the (...) wizard... Slight smile

  • 0 in reply to Hayim Caspy

    Hi,

    you need to change your firewall rule destination network to any, you are trying to use an XG interface as your destination and from my experience that doesn't't work.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Looks fine from this perspective. Does the NAT Rule hit and you see traffic ticking? Because the firewall rule seems to miss, could be because the NAT rule did not match in the first place. 

    __________________________________________________________________________________________________________________

  • 0

    Hi.

    I think there is an error in your DNAT rule. Especially your interface matching criteria for the inbound interface. 

    From documentation this must be the pre-NAT interface so you should use #Port3 as well for DNAT.

    Regards,

    Thomas

    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • 0 in reply to ThomW

    Thanks, it is actually #Port3 just it's been renamed and this is what is used when you select it in the Interface matching rule (so there is no #Port3 option, only the renamed interface)

  • 0 in reply to LuCar Toni

    Nope, neither the firewall rule or the DNAT rule show any traffic.

    For traffic flow it should hit the firewall rule first and then the DNAT rule so I think it's not matching the firewall rule for some reason.

  • 0 in reply to Hayim Caspy

    Thanks, it's not RDS it's Remote Desktop Gateway using a custom port - this exact setup was being used on a UTM previously so I've literally moved the internet cable from the WAN on the UTM to the WAN on the XGS and used the same basic DNAT rules that were in place on the UTM (although obviously the setup is very different)

  • 0 in reply to rfcat_vk

    That won't be great from a security point of view and the Sophos documentation for both v17 and v18 definitely show them using a specific port (either the actual port or a specific alias on the port)

Unfiltered HTML