This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ACL Violation when attempting WAN to LAN NAT v19.5.0

Hello

I have searched and can see others have this issue, however none of the solutions have worked for me so far.

I have followed the steps at https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html#specify-the-nat-rule-settings to create the following policies, with the intention of allowing WAN -> LAN traffic the specified ports:

NAT Rule:

Sophos Public Address is an IP 192.168.0.90

Valheim Server is an IP 172.16.50.110

Firewall Rule:

The service 'Valheim' is defined as:

The packet captures I have been getting are as follows:

(apologies for drop-packet as an image and not plain text)

Any help would be greatly appreciated



This thread was automatically locked due to age.
  • Firewall Rule has to be Sophos_Public IP and your Server as Zone in Destination Section. 

    And the NAT Rule is not applied. The Service is off: You need to change the Source Port to 1:65500 to include the high ports. 

    __________________________________________________________________________________________________________________

  • Hi - thanks for your response!

    I have made the following adjustments:
    Service is now TCP&UDP 1:65500 / 2456:2458

    I'm not sure I understood your directions on the firewall rule correctly, but I have done the following:
    Destination Zone is now WAN, and Destination Network is Sophos Public Address.

    I have run some further packet captures and am still seeing the Violation / Local_ACL result.

  • The Firewall Rule should be: DMZ Zone and Sophos Public Address. 

    __________________________________________________________________________________________________________________

  • Hi again

    I've tried the each of following configurations on the firewall rule, all to no success - I still see Violation / Local_ACL on the packet capture.

    Destination Zone

    Destination Address

    DMZ Sophos Public Address
    Game_Server_Zone Sophos Public Address
    Game_Server_DMZ Sophos Public Address
    ANY Sophos Public Address

    (Game_Server_Zone is a LAN zone, I created Game_Server_DMZ as a DMZ zone just for testing purposes)

    Is there something somewhere else I may have gotten wrong that I should check?

  • Hi Lucar - thanks for your help

    Between your feedback (which I have implemented) and comparisons with the native DNAT wizard for creating rules, I've isolated a possible cause. There is another NAT rule, as shown below:

    In the ordering shown above, the packets are rejected due to ACL violation. When I order my NAT rule on top, the packets are accepted - given that the default rule is for outbound traffic on PortB (my WAN port) this doesn't strike me as intended behavior, could it be a bug?\

    In any instance, my issue should be resolved now, thanks again.

    EDIT: Tested this with the wizard-generated rules - in default order the packets are forwarded, if I place the default SNAT IPv4 rule on top the packets are dropped.

  • Hello Hugh,

    It's not bug but intended behavior.

    Once your traffic will match any NAT rule, it won't traverse below.

    Same applies to Firewall rule as well.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Hello Sanket

    Thanks for the explanation - I hadn't expected the traffic to match with the default rule.