Hi folks,
I have the following problem:
I have an icinga 2 running in my network and I want it to ping a remote network via S2S.
This does work, but as soon as i create a DNAT with HTTP and HTTPS to my icinga, it stops working.
What i tried:
Set a permanent route through the IPSEC, made a roule to allow all ICMP traffic, made packet traces (my pings werde not even showing up, only the automatic ones fron icinga).
Is there some connection between DNAT an IPSEC? Does one exclude the other?
It's my first post here, so please let me know, if i missed something
Greetings!
I found the problem!
I used the NAT assistant, which automatically created a reflexive NAT-Rule. This roule NATed all traffic from this server through Port 2:1. I deactivated it, HTTP / S still works!
Hi,
"Set a permanent route through the IPSEC" - have you done that in the CLI?
Regards
fusi
No, i've done that on the icinga machine ( SMP Debian 5.10.106-1 )
Try to tell your XG to route all trafic to your VPN Network through your IPsec Tunnel:system ipsec_route add net <remote subnet> tunnelname <ipsec_tunnel>docs.sophos.com/.../index.html
I don't really get, why i should do that? I don't want to route everything through the IPSEC
I thought you would ping a remote client behind an IPsec connection?
You don't route everything to the tunnel. Only <remote subnet>.
Yes, right. That does work from every other machine in my network, only this one doesn't, as soon as I make a DNAT to this particular machine.
Your screenshot shows you using DNAT for ICMP, and it shows Inbound Interface Port 2. Do you mean #Port2.1? Is it working, as shown, for HTTP and HTTPS but just not for ICMP? And is #Port2.1 in the LAN Zone?
The system route for IPsec simply tells the firewall itself, there is a route for the traffic. This can be needed in case of NAT:
But you NAT has a traffic selector based on Interface. I would recommend to try ANY there instead of Port2.
Check the Packet Capture as well.
__________________________________________________________________________________________________________________
I tired "ANY" as selector, but it made no difference. Also i have Added the permanent route via CLI. Still no change...
What do you see in the Packet capture on Webadmin?
I used the NAT assistant, which automatically created a reflexive NAT-Rule. This roule NATed all traffic from this server through Port 2:1. I deactivated it, HTTP / S still works!Thanks for you help! I'm really stunned, how fast and how many people replied
Have a nice weekend