This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempting to pass a port through the UTM, to a Server on a RED Network

I have a server on a remote site that needs to open port 80 to the internet from time to time to get a certificate. AT the moment - I cannot get this to work.

Details:

Sophos UTM on main Internet Connection at HQ: 192.168.200.0/24. Public IP A.B.C.D.

     External Port is #2

     Internal Port is br0, considting of Ports 1, 3 & 4. Internal IP is 192.168.200.1

Remote office on RED device: 192.168.201.0/24, Internal IP is 192.168.201.1

Server#1 on RED Network: 192.168.201.11 with .1 as gateway

VPN between UTM and Red. This is a leased line at the HO end and a VDSL at the remote site

For testing purposes I have an FTP Server installed on Server#1 (201.11) as 80 is not available all the time. This is accesible from the head office network.

What I need to do is accept incoming FTP (later to be HTTP) connections on the main firewall and pass them through the VPN to Server#1 which should then respond back through the VPN and out the main UTM bck to the originating client.

Attempt#1: I tried setting up a DNAT rule first, it didn't work and my understanding from searches that this is not expected to work, 

Attempt #2 : I set up a NAT rule as below

I then setup a Firewall Rule

Butt his doesn't work - the FTP is not available from outside

Either this isn't possible (searches seem to say it is) OR (far more likley) I am not doing it right.

Anyone got any insight for me?

[The good news is that in 6 months or so the leased line will move to the office - which is becoming the head office so this will cease to be an issue. The bad news is that I need to get this working first]

RED VPN is standard/split which is I guess the major problem here

My thoughts are that the packets are probably reaching Server#1, but are being returned by the RED external port and IP address, which is never gonna work. I had hoped that using "Translated Source" as FW-Internal (192.168.200.1) would solve that problem causing the packets to return to the UTM. 



This thread was automatically locked due to age.
Parents
  • Hello Sean,

    basic things first: remote server has to be pingable from the firewall itself as very first step.

    If this doesn't work: don't try to fix routing problems with NAT.

    Go through the chain the packet has to go - on it's way to the server and then backwards. Check all involved systems, don't make assumptions.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello Sean,

    basic things first: remote server has to be pingable from the firewall itself as very first step.

    If this doesn't work: don't try to fix routing problems with NAT.

    Go through the chain the packet has to go - on it's way to the server and then backwards. Check all involved systems, don't make assumptions.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children