Hi folks,
I have the following problem:
I have an icinga 2 running in my network and I want it to ping a remote network via S2S.
This does work, but as soon as i create a DNAT with HTTP and HTTPS to my icinga, it stops working.
What i tried:
Set a permanent route through the IPSEC, made a roule to allow all ICMP traffic, made packet traces (my pings werde not even showing up, only the automatic ones fron icinga).
Is there some connection between DNAT an IPSEC? Does one exclude the other?
It's my first post here, so please let me know, if i missed something
Greetings!
I found the problem!
I used the NAT assistant, which automatically created a reflexive NAT-Rule. This roule NATed all traffic from this server through Port 2:1. I deactivated it, HTTP / S still works!
Hey Sebastian Möller1,Thank you for reaching out to the community, could you please share the screen shot of the DNAT rule created !!
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security EvolvedSophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Hi there:
First the Firewall Rule:
Second the NAT-Rule:
Hi,
"Set a permanent route through the IPSEC" - have you done that in the CLI?
Regards
fusi
No, i've done that on the icinga machine ( SMP Debian 5.10.106-1 )
Try to tell your XG to route all trafic to your VPN Network through your IPsec Tunnel:system ipsec_route add net <remote subnet> tunnelname <ipsec_tunnel>docs.sophos.com/.../index.html
I don't really get, why i should do that? I don't want to route everything through the IPSEC
I thought you would ping a remote client behind an IPsec connection?
You don't route everything to the tunnel. Only <remote subnet>.
Yes, right. That does work from every other machine in my network, only this one doesn't, as soon as I make a DNAT to this particular machine.
Your screenshot shows you using DNAT for ICMP, and it shows Inbound Interface Port 2. Do you mean #Port2.1? Is it working, as shown, for HTTP and HTTPS but just not for ICMP? And is #Port2.1 in the LAN Zone?
The system route for IPsec simply tells the firewall itself, there is a route for the traffic. This can be needed in case of NAT:
But you NAT has a traffic selector based on Interface. I would recommend to try ANY there instead of Port2.
Check the Packet Capture as well.
__________________________________________________________________________________________________________________