This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Cluster SG210 - NAT Regel funktioniert nicht mehr

Hallo,

Firmwareversion: 9.707-5

wir haben 2 Sophos SG210 im Einsatz und seit einiger Zeit habe ich festgestellt, dass mindestens eine NAT Regel nicht mehr funktioniert und zwar die Regel lautet so:

Any

TCP Port 2083 - Zielport 2083 - Quellport 1:65535

WAN Adresse

Server

TCP Port 2083 - Zielport 2083 - Quellport 1:65535

Automatische Firewallregel ist aktiv.

Ich habe die Regel sogar manuell angelegt aber hat auch nichts gebracht.

Der Log Protokoll sagt folgendes:

14:45:14 Standard-VERWERFEN TCP  
95.130.160.139 : 17681
213.95.82.36 : 2083
 
[ACK RST] len=52 ttl=56 tos=0x00 srcmac=78:19:f7:40:af:f0 dstmac=00:1a:8c:f0:bf:c1

IPS habe ich auch ausgeschalten, hat aber auch nichts gebracht.

Ich komme einfach nicht weiter.

Hat jemand eine Idee ?

Wäre dankbar

Danke im Voraus.



This thread was automatically locked due to age.
Parents
  • That's confusing, Arnold.  What do those IPs represent?

    fwrule="60001" means the packet was blocked inbound to the dstip.  I would guess that this means you need another NAT rule or {UDP .:65535->12222} added to an existing one.  See #4 in Rulz (last updated 2021-02-16).

    "60002" means the packet was blocked out of the FORWARD chain.  That is, you probably have a NAT rule that doesn't have automatic firewall rule enabled and you need a firewall rule.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The mark is placed to automatic firewall rule and it worked this way for about 3 years and now it stopped working and I don't know why.

    https://forcesync.forcenet.de/index.php/s/8C8e3KA296PJspg

    Password: bWyY4jxP

    Here some screenshots with the rule.

  • The ExtremeCloud server is in our datacenter and with this server we are managing the access points for our customers, port 2083 TCP is used by RADIUS and the port 12222 UDP is used in order to establish the capwap connection with the server, if this port doesn't function then I can't manage any of them. These incoming IPs are the access points trying to access the port on the server, my presumption is that the port UDP 12222 is being blocked and that's the cause for the timeout with the port 2083 because if the port 12222 is unable to establish the connection to the ExtremeCloud server then the RADIUS can't access the database in order to retrieve credentials from NPS server.

Reply
  • The ExtremeCloud server is in our datacenter and with this server we are managing the access points for our customers, port 2083 TCP is used by RADIUS and the port 12222 UDP is used in order to establish the capwap connection with the server, if this port doesn't function then I can't manage any of them. These incoming IPs are the access points trying to access the port on the server, my presumption is that the port UDP 12222 is being blocked and that's the cause for the timeout with the port 2083 because if the port 12222 is unable to establish the connection to the ExtremeCloud server then the RADIUS can't access the database in order to retrieve credentials from NPS server.

Children
  • Please show pictures of the Edits of the related NAT rule(s).

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hallo,

    oben habe ich Euch einen Link geteilt, da gibt es Fotos mit der NAT Regel, reicht das ?

    Danke.

  • besser wäre es, die Bilder hier einzufügen.

    Stelle mal in der NAT Regel unter advanced ein, dass die initialen Pakete geloggt werden sollen.

    Wie sieht das jetzt im LiveLog aus?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Der Haken war gesetzt als ich die Logs aufgerufen habe.

  • Hallo Arnold,

    I use a Sandboxie sandbox for all external links.  We can't know if that external site is properly protected. The only malware I've gotten in over 10+ years was from an external link to a picture in this forum over 5 years ago.  As Dirk said, "besser wäre es, die Bilder hier einzufügen."

    Everything in that link looks good, but I didn't see a rule for 2883 TCP.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA