Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 4762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ACL Violation when attempting WAN to LAN NAT v19.5.0

Hugh Beavis

Hello

I have searched and can see others have this issue, however none of the solutions have worked for me so far.

I have followed the steps at https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html#specify-the-nat-rule-settings to create the following policies, with the intention of allowing WAN -> LAN traffic the specified ports:

NAT Rule:

Sophos Public Address is an IP 192.168.0.90

Valheim Server is an IP 172.16.50.110

Firewall Rule:

The service 'Valheim' is defined as:

The packet captures I have been getting are as follows:

(apologies for drop-packet as an image and not plain text)

Any help would be greatly appreciated



This thread was automatically locked due to age.
Parents
  • 0

    Firewall Rule has to be Sophos_Public IP and your Server as Zone in Destination Section. 

    And the NAT Rule is not applied. The Service is off: You need to change the Source Port to 1:65500 to include the high ports. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Lucar - thanks for your help

    Between your feedback (which I have implemented) and comparisons with the native DNAT wizard for creating rules, I've isolated a possible cause. There is another NAT rule, as shown below:

    In the ordering shown above, the packets are rejected due to ACL violation. When I order my NAT rule on top, the packets are accepted - given that the default rule is for outbound traffic on PortB (my WAN port) this doesn't strike me as intended behavior, could it be a bug?\

    In any instance, my issue should be resolved now, thanks again.

    EDIT: Tested this with the wizard-generated rules - in default order the packets are forwarded, if I place the default SNAT IPv4 rule on top the packets are dropped.

Reply
  • 0 in reply to LuCar Toni

    Hi Lucar - thanks for your help

    Between your feedback (which I have implemented) and comparisons with the native DNAT wizard for creating rules, I've isolated a possible cause. There is another NAT rule, as shown below:

    In the ordering shown above, the packets are rejected due to ACL violation. When I order my NAT rule on top, the packets are accepted - given that the default rule is for outbound traffic on PortB (my WAN port) this doesn't strike me as intended behavior, could it be a bug?\

    In any instance, my issue should be resolved now, thanks again.

    EDIT: Tested this with the wizard-generated rules - in default order the packets are forwarded, if I place the default SNAT IPv4 rule on top the packets are dropped.

Children
Unfiltered HTML