Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempting to pass a port through the UTM, to a Server on a RED Network

I have a server on a remote site that needs to open port 80 to the internet from time to time to get a certificate. AT the moment - I cannot get this to work.

Details:

Sophos UTM on main Internet Connection at HQ: 192.168.200.0/24. Public IP A.B.C.D.

     External Port is #2

     Internal Port is br0, considting of Ports 1, 3 & 4. Internal IP is 192.168.200.1

Remote office on RED device: 192.168.201.0/24, Internal IP is 192.168.201.1

Server#1 on RED Network: 192.168.201.11 with .1 as gateway

VPN between UTM and Red. This is a leased line at the HO end and a VDSL at the remote site

For testing purposes I have an FTP Server installed on Server#1 (201.11) as 80 is not available all the time. This is accesible from the head office network.

What I need to do is accept incoming FTP (later to be HTTP) connections on the main firewall and pass them through the VPN to Server#1 which should then respond back through the VPN and out the main UTM bck to the originating client.

Attempt#1: I tried setting up a DNAT rule first, it didn't work and my understanding from searches that this is not expected to work, 

Attempt #2 : I set up a NAT rule as below

I then setup a Firewall Rule

Butt his doesn't work - the FTP is not available from outside

Either this isn't possible (searches seem to say it is) OR (far more likley) I am not doing it right.

Anyone got any insight for me?

[The good news is that in 6 months or so the leased line will move to the office - which is becoming the head office so this will cease to be an issue. The bad news is that I need to get this working first]

RED VPN is standard/split which is I guess the major problem here

My thoughts are that the packets are probably reaching Server#1, but are being returned by the RED external port and IP address, which is never gonna work. I had hoped that using "Translated Source" as FW-Internal (192.168.200.1) would solve that problem causing the packets to return to the UTM. 



This thread was automatically locked due to age.
Parents
  • Hello Sean,

    basic things first: remote server has to be pingable from the firewall itself as very first step.

    If this doesn't work: don't try to fix routing problems with NAT.

    Go through the chain the packet has to go - on it's way to the server and then backwards. Check all involved systems, don't make assumptions.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Go through the chain the packet has to go - on it's way to the server and then backwards. Check all involved systems, don't make assumptions.

    Ok hand tone1

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Reply Children
  • Maybe he doesn't need to switch to unified, he could just have a routing entry at that particular server to point at the gateway in his headquarter as the "internet gateway". So only this server would go that way and the others would use the local internet breakout (and thus saving bandwidth).

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.