Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 4762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ACL Violation when attempting WAN to LAN NAT v19.5.0

Hugh Beavis

Hello

I have searched and can see others have this issue, however none of the solutions have worked for me so far.

I have followed the steps at https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html#specify-the-nat-rule-settings to create the following policies, with the intention of allowing WAN -> LAN traffic the specified ports:

NAT Rule:

Sophos Public Address is an IP 192.168.0.90

Valheim Server is an IP 172.16.50.110

Firewall Rule:

The service 'Valheim' is defined as:

The packet captures I have been getting are as follows:

(apologies for drop-packet as an image and not plain text)

Any help would be greatly appreciated



This thread was automatically locked due to age.
Parents
  • 0

    Firewall Rule has to be Sophos_Public IP and your Server as Zone in Destination Section. 

    And the NAT Rule is not applied. The Service is off: You need to change the Source Port to 1:65500 to include the high ports. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi - thanks for your response!

    I have made the following adjustments:
    Service is now TCP&UDP 1:65500 / 2456:2458

    I'm not sure I understood your directions on the firewall rule correctly, but I have done the following:
    Destination Zone is now WAN, and Destination Network is Sophos Public Address.

    I have run some further packet captures and am still seeing the Violation / Local_ACL result.

  • 0 in reply to Hugh Beavis

    The Firewall Rule should be: DMZ Zone and Sophos Public Address. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi again

    I've tried the each of following configurations on the firewall rule, all to no success - I still see Violation / Local_ACL on the packet capture.

    Destination Zone

    Destination Address
    DMZ Sophos Public Address
    Game_Server_Zone Sophos Public Address
    Game_Server_DMZ Sophos Public Address
    ANY Sophos Public Address

    (Game_Server_Zone is a LAN zone, I created Game_Server_DMZ as a DMZ zone just for testing purposes)

    Is there something somewhere else I may have gotten wrong that I should check?

Reply
  • 0 in reply to LuCar Toni

    Hi again

    I've tried the each of following configurations on the firewall rule, all to no success - I still see Violation / Local_ACL on the packet capture.

    Destination Zone

    Destination Address
    DMZ Sophos Public Address
    Game_Server_Zone Sophos Public Address
    Game_Server_DMZ Sophos Public Address
    ANY Sophos Public Address

    (Game_Server_Zone is a LAN zone, I created Game_Server_DMZ as a DMZ zone just for testing purposes)

    Is there something somewhere else I may have gotten wrong that I should check?

Children
No Data
Unfiltered HTML