Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG blocking traffic from one local VM to another local VM (asymmetring routing issue?)

I have a problem with communication between two local machines that host two different web applications. 

When I try to connect from VM_3 to VM_2 using the command curl -I https://site.pl, I do not receive a response from the VM_2. When I try to establish a connection from VM_3 to VM_1 using the command curl -I https://some.site.pl, I receive the expected response from the server. I tried to examine the network traffic between machines when I curl their and here are the results of my research:

From Advanced Shell on Sophos: 
conntrack -E -s 192.168.2.25 | grep 81.56.34.203 with no result (empty screen)
tcpdump -n -i Port1 src host 192.168.2.25 and dst host 81.56.34.203 and dst port 443 with this message

Port1, IN: IP 192.168.2.25.48218 > 80.87.34.203.443: Flags [S], seq 3632852470, win 64240, options [mss 1460,sackOK,TS val 143042738 ecr 0,nop,wscale 7], length 0

From Sophos Log Viewer:
Firewall Rule N/A, "Appliance Access" Denied, NAT Rule 0, Port1 <-> None, Src 192.168.2.25: 59474 Dst 81.56.34.203:443

From Diagnostic-Packet Capture:
in=Port1, out=None, Src 192.168.2.25, Dst 81.56.34.203, ports[src,dst]=34800,443, natid=0, rulid=0, status=Violation, reason=Local_ACL

For these local servers and WAN interfaces I have identical rules in the Firewall and NAT section, except that in one case it works and in another case it doesn't.

My rules in Firewall section for different interfaces:

Name: Access to 81.56.34.206 
Source: Any zone, Any host
Destination: Any zone, #Port8
What: HTTP, HTTPS

Name: Access to 81.56.34.203 
Source: Any zone, Any host
Destination: Any zone, #Port5
What: HTTP, HTTPS

My rules in NAT section for different VM's:

[VM_1]

Name: Inbound 192.168.2.56; Source: Any host, Service: HTTP, HTTPS; Destination: Port8:81.56.34.206; Source:Original, Service: Original; Destination: 192.168.2.56; Inbound: Port2; Outbound: Any interface

Name: Loopback 192.168.2.56; Source: Any host, Service: HTTP, HTTPS; Destination: Port8:81.56.34.206; Source:MASQ, Service: Original; Destination: 192.168.2.56; Inbound: Any interface; Outbound: Any interface

Name: Outbound 192.168.2.56; Source: 192.168.2.56, Service: Any; Destination: Any; Source: 81.56.34.206, Service: Original; Destination: Original; Inbound: Any interface; Outbound: Any interface

[VM_2]

Name: Inbound 192.168.2.66; Source: Any host, Service: HTTP, HTTPS; Destination: Port5:81.56.34.203; Source:Original, Service: Original; Destination: 192.168.2.66; Inbound: Port2; Outbound: Any interface

Name: Loopback 192.168.2.66; Source: Any host, Service: HTTP, HTTPS; Destination: Port5:81.56.34.203; Source:MASQ, Service: Original; Destination: 192.168.2.66; Inbound: Any interface; Outbound: Any interface

Name: Outbound 192.168.2.66; Source: 192.168.2.66, Service: Any; Destination: Any; Source: 81.56.34.203, Service: Original; Destination: Original; Inbound: Any interface; Outbound: Any interface

My rules in SD-WAN section:
Incoming interface: Any
Source network: LAN_group_IP
Destination network: Internet IPv4 group
Services: Any
Primary gateway: WAN1
Selected "Route only through specified gateways"

p.s. the problem appeared after adding a new interface with a new address pool and creating a rule in the SD-WAN section



This thread was automatically locked due to age.
Parents
  • I assume you are connecting from internal network to outside IP-adres. For this to work you should have a Loopback NAT rule in place. You likely have this rule for the traffic from VM3 to VM1 but you may not have it for VM3 to VM2.

    And don't forget to also add a firewall rule to allow the traffic....


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for reply. I have loopback rule for all local servers and i have firewall rule too. Check it bellow

     Additionally, I have inbound and outbound rules for these servers, which were described above in the post.

Reply Children