Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 1745 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to reach internal SFTP/SSH server externally.

WABGOR_DAVE

Hello again all,

I have a bit of a head scratcher.

Background:

I've setup a linux server, to feed out the odd occasional file and large transfer, to some of our customers/partners. At the moment, this was going to constitute just using OpenSSH running on Ubuntu, with no terminal/shell access for them. FTP Proxy is NOT used/on.

Issue:

Internal traffic comes in fine (IP), however external traffic (FQDN or IP) makes it as far as the firewall NAT rule and then "vanishes".

Setup:

Base Linux Server running OpenSSH with UFW enabled <==> Sophos UTM 9.707 (SNAT and DNAT rules enabled, with External IP tied to an interface) <==> Internal / External clients with Putty, WinSCP, FileZilla etc.

Where else can I check on the UTM to see what is blocking/preventing traffic from coming through?

Snaps:

Snip of FW log

Can ping Public IP from server:

UFW rules:



This thread was automatically locked due to age.
  • 0

    Hello Dave,

    the simplest thing to investigate is looking at the "Live Log" while trying to access your server from external.

    You might learn something you forgot to setup the right way ... I often do this and you always learn.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    I mean this one here at Network protection / Firewall:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hello Philipp!

    That is what I have done (along with even tailing the log from the terminal to make sure I didn't miss anything), as noted by the small snippit in my posting:

    I think the issue is after this portion.

    I'm beginning to think it is a "NAT translation" issue.  On the UFW log, I see the rest come in to port 22 from my internal IP destined for the internal IP of the server. It is almost like something I experienced many, many, many, years ago on a router at home, and I think the issue was called a hairpin turn?  I'll either have to test from a PC not inside our network, to rule out the scenario, or find out how I mitigated it on my router and see if I can apply it to the UTM.

    Edit: clarified "translation" into "NAT translation" as I realized after it may have come across me meaning language.

  • +1

    This does/did appear to be hairpin related as I can successfully connect to the server from an outside client.

Unfiltered HTML