Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 3040 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT on XGS (SFOS 18.5.1 MR-1-Build326) what on earth have a got wrong?

Barry Smith3

I have followed the video guide for DNAT on https://www.sophos.com/en-us/support/products/xg-firewall/how-to-library.aspx#NetworkConfiguration

But inbound packets are being dropped even though I'm pretty sure everything is correct.  There is no alias involved so the DNAT should be traffic on TCP 444 from the WAN to #port3 is forwarded to an internal host called "pth-idr"

The firewall rule is:

The DNAT rule is:

Service is setup as:

I have to use the console to view the drop logs but when filtered to the source host on the internet it shows the packets are being dropped...

2021-12-01 12:31:07 0103021 IP <source IP>.51995 > <destination IP>.444 : proto TCP: S 1720371234:1720371234(0) win 64240 checksum : 57340
0x0000: 4500 0034 788b 4000 7306 f69a a7b3 81b9 E..4x.@.s.......
0x0010: 31ff 3d32 cb1b 01bc 668a c822 0000 0000 1.=2....f.."....
0x0020: 8002 faf0 dffc 0000 0204 05b4 0103 0308 ................
0x0030: 0101 0402 ....
Date=2021-12-01 Time=12:31:07 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port3 out_dev= inzone_id=2 outzone_id=4 source_mac=<Source MAC> dest_mac=<destination MAC> bridge_name= l3_protocol=IPv4 source_ip=<Source IP> dest_ip=<Destination  IP>l4_protocol=TCP source_port=51995 dest_port=444 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8003 nfqueue=0 gateway_offset=0 connid=2989602752 masterid=0 status=256 state=1, flag0=824635817984 flags1=17179869184 pbdid_dir0=0 pbrid_dir1=0

Anyone have any ideas?

Many thanks in advance.

Barry



This thread was automatically locked due to age.
Parents
  • 0

    Looks fine from this perspective. Does the NAT Rule hit and you see traffic ticking? Because the firewall rule seems to miss, could be because the NAT rule did not match in the first place. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Nope, neither the firewall rule or the DNAT rule show any traffic.

    For traffic flow it should hit the firewall rule first and then the DNAT rule so I think it's not matching the firewall rule for some reason.

Reply Children
  • +1 in reply to Barry Smith3

    Could you please delete and "recreate the same DNAT" rule? It could be an issue with the loading of the configuration. I saw this in very rare cases, that everything was correct but not hitting. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    You could verify my assumption by: 

    Go to all objects, you are using and try to "save" them again. See if there is an "update successful" or a "error" in the webadmin by saving the objects like your custom service. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks, I'll try that and update when done - it will only a be a bit later today though.

  • 0 in reply to Barry Smith3

    No luck I'm afraid - I removed the existing firewall and DNAT rules and then to be safe I used the "Server Access Assistant (DNAT)" to setup the rules again (didn't want to do this as I don't want/need the loopback and reflexive rules) and I still get exactly the same issue.

    I think I'll have to log a support call with Sophos on this as I'm pretty sure everything is correct but it just doesn't work.

  • 0 in reply to LuCar Toni

    Actually I take that back - re-creating the rule(s) using the "Server Access Assistant (DNAT)" *has* worked.  I deleted the Loopback and Reflexive rules that were created as they are not needed and left the Firewall and DNAT rule in place (they look *exactly* the same as the rules I screenshotted above!) and it's now all working as expected.

    Many thanks

Unfiltered HTML