Thread Info
  • State Verified Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 705 views
  • Users 0 members are here
Options
Suggested

ACL Violation when attempting WAN to LAN NAT v19.5.0

Hugh Beavis

Hello

I have searched and can see others have this issue, however none of the solutions have worked for me so far.

I have followed the steps at https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html#specify-the-nat-rule-settings to create the following policies, with the intention of allowing WAN -> LAN traffic the specified ports:

NAT Rule:

Sophos Public Address is an IP 192.168.0.90

Valheim Server is an IP 172.16.50.110

Firewall Rule:

The service 'Valheim' is defined as:

The packet captures I have been getting are as follows:

(apologies for drop-packet as an image and not plain text)

Any help would be greatly appreciated



Edited TAGs
[edited by: emmosophos at 6:18 PM (GMT -8) on 6 Feb 2023]
Parents
  • 0

    Firewall Rule has to be Sophos_Public IP and your Server as Zone in Destination Section. 

    And the NAT Rule is not applied. The Service is off: You need to change the Source Port to 1:65500 to include the high ports. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Lucar - thanks for your help

    Between your feedback (which I have implemented) and comparisons with the native DNAT wizard for creating rules, I've isolated a possible cause. There is another NAT rule, as shown below:

    In the ordering shown above, the packets are rejected due to ACL violation. When I order my NAT rule on top, the packets are accepted - given that the default rule is for outbound traffic on PortB (my WAN port) this doesn't strike me as intended behavior, could it be a bug?\

    In any instance, my issue should be resolved now, thanks again.

    EDIT: Tested this with the wizard-generated rules - in default order the packets are forwarded, if I place the default SNAT IPv4 rule on top the packets are dropped.

Reply
  • 0 in reply to LuCar Toni

    Hi Lucar - thanks for your help

    Between your feedback (which I have implemented) and comparisons with the native DNAT wizard for creating rules, I've isolated a possible cause. There is another NAT rule, as shown below:

    In the ordering shown above, the packets are rejected due to ACL violation. When I order my NAT rule on top, the packets are accepted - given that the default rule is for outbound traffic on PortB (my WAN port) this doesn't strike me as intended behavior, could it be a bug?\

    In any instance, my issue should be resolved now, thanks again.

    EDIT: Tested this with the wizard-generated rules - in default order the packets are forwarded, if I place the default SNAT IPv4 rule on top the packets are dropped.

Children
Unfiltered HTML