Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 4228 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT Issue? Can't Replicate VPN Connection.

TitanRob16

Hi all,

We're currently in the middle of transferring everything across from our old IPCop server to the Sophos UTM (in the hopes of retiring IPCop). 

I've copied across the DNAT rules (with automatic firewall rules), put in the static routes and have ensured our public-facing router is configured correctly. 

However, we're unable to connect to our customer VPNs. From their perspective, they just need to open up their end to our public-facing router, which is what they've done. But from ours we need to ensure traffic from our UTM is being directed to the correct locations. 

I'm currently testing out one of the VPN connections but none of them are currently working. I've reduced the test to one specific server we often RDP to and have tested it's working on my PC (using the old connection we're trying to replace). On the new connection however, I'm unable to connect to it. I've checked the firewall log and can see the NAT rule I've placed - it shows traffic from the test laptop (which has the UTM set as the default gateway) going to the internal IP address we have for their server (DNS is managed by our Domain Controller). The DNAT rule says any internal traffic (10.1.0.0/21) using Any service going to the internal IP address we have for their server (10.1.130.x) should be changed to an IP on the customer's VPN address (i.e. 192.168.1.x).

We then have a static route saying all traffic for the customer's VPN network is to be routed to our public-facing router. I've then simply added our UTM onto the policies already established so the traffic should be passing from our router into the VPN tunnel. 

The only place I can think it's failing is the DNAT rule. I don't actually see anything in the log file that suggests the IP 10.1.130.x has changed to 192.168.1.x. And once the IP has been changed by the DNAT rule, do I need to do anything else to ensure it is forwarded to our public-facing router (like another firewall rule saying to allow traffic from 192.168.1.x to the public-facing router)? 

Below is a rough networking diagram to show the set-up. 

Any help would be greatly appreciated :) 

Regards,

Rob

 



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to sachingurung

    Hi,

    Here's the DNAT screenshot (note: it has been edited to match the IPs of the original post as I didn't feel comfortable posting the true IPs).

    I can confirm the traffic does reach the UTM. 

    I've also run a tracert from the UTM and it seems the DNAT is working (running a tracert to 10.1.130.x). 

Children
  • 0 in reply to TitanRob16

    Hi Rob,

    Unless the traffic doesn't reach UTM, none of the configuration will work. Check the routing configuration before taking any further steps on the UTM. Alongside, the DNAT configuration is incorrect, in the "for traffic from" it should be ANY or External IP address. In the "Going to"  it should be the WAN interface (address) generally External (address).

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to TitanRob16

    Rob, I see several things in your configuration that just don't sound "right" to me.  There's no reason you should need routes or NAT rules if you've properly defined the VPNs.

    If there's something unique about your situation that really does require a NAT rule, it must be a Full NAT instead of a DNAT (this is the same routing issue as with Accessing Internal or DMZ Webserver from Internal Network).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    The VPNs are hosted on the external router - not the UTM. The UTM is simply a gateway for our internal network which should then forward the VPN connections by DNAT to the router. This is exactly the way we have it configured on our IPCop server and all the rules mentioned for the UTM seem to be working as I checked the traffic logs on our router. The only difference at this stage is that the IPCop connection is receiving packets, whilst the UTM connection isn't. 

    It may be a problem with the router set-up or there may be something our customers have to configure, but I wouldn't have thought so considering it's the same endpoint as far as they can see. 

  • 0 in reply to TitanRob16

    OK, I understand the topology now.  My guess is that your DNAT violates #4 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    It turns out my understanding of our own network was not correct and the VPN endpoint was on another device. Thankfully, everything was set-up correctly on our end - we just needed to update our customers! Thanks for the help :) 

Unfiltered HTML