Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 2222 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forwarding non-standard ssh port to standard ssh port internal (remote SFTP Server)

Sofos network

Hi all,

# XG330

I have a project to set up an SFTP server to transfer data securely from a remote station to the SFTP server located in
the DMZ.(Head Ofice)
the server is installed, configured and integrated into the dmz.
the remote client uses an sftp tool to automatically transfer data with a configured task, using : ipaddr: non-standard port

So I created a dnat rule as follows:

and I created the firewall rule as follows:

For more security the client will have to connect with a non-standard SFTP port, then the FW will have to do the port translation of the non-standard port
to the default SSH port which is 22.
the first connection tests were not successful! Impossible to connect
Is there anything I forgot?
Are there other particularities to take into account and adjust the configuration?

thanks



This thread was automatically locked due to age.
  • 0

    Hi Sofos network,

    Please check and verify traffic flow under MONITOR & ANALYZE || Diagnostics || Packet Capture passing from the same firewall rules and NAT rule with drop packet 

    Also, start tcpdump on CLI and share the output for all three steps.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

     

    I updated the config like:

    and 

    it work manually by command line and filezilla

    i just have problem with third party sftp client

    I'm going to see why?

    Thanks
  • 0 in reply to Sofos network

    Please check with packet capture, tcpdump and drop packet the behaviour of the traffic this will help you to check it in right direction.

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi   

    Packet Capture output

    what does it mean ??

  • 0 in reply to Sofos network

    Seems Service is off: You need to change the Source Port to 1:65335 to include the high ports. If issue remains,please verify the service port you have added on the firewall rule and NAT rule 

    TEST by changing source WAN -> ANY - Destination  LAN -> server IP - Service (TCP 1:65335 to SFTP port no) -> any time -> log. Use linked NAT rule and choose MASQ I think should automatically setup the correct interfaces.

    Please post the services object created here with tcpdump and drop packet if issue remains.

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi,

    the firewall rule should have the internal address as the destination.

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    And also the internal SSH port instead of external.

    PS  Changing the port used for SSH access does not increase security. It just keeps a small amount of scripts from finding the SSH-server but your SSH-access will still be found really quickly. Make sure to limit access as much as possible and use public/private keypairs to log on to the SSH-server to really increase security.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    As per the requirement instead of exposing ports over WAN I would suggest to use IPSec remote access or SSL VPN.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML