Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Cluster SG210 - NAT Rule not working

Arnold Hienz

Hello,

I've already posted yesterday in the german forum regarding a NAT rule that is not working anymore.

We have a sophos cluster SG210 in the production with the latest version 9.707-5 on it.

The nat rule is:

Any

TCP 2083 - destination port 2083 source port 1:65535

WAN Address

Server IP

TCP 2083 - destination port 2083 source port 1:65535

Firewall rule is automatically created by the nat rule. I've tried to disable IPS, Advanced Threat Protection and so on but nothing seems to work.

This is the error:

08:16:58 Standard-VERWERFEN TCP  
95.130.160.139 : 25117
213.95.82.36 : 2083
 
[ACK RST] len=52 ttl=56 tos=0x00 srcmac=78:19:f7:40:af:f0 dstmac=00:1a:8c:f0:bf:c1

Any help or tipp would be appreciated.

Thanks



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Arnold, Thanks for reaching out to Sophos Community.

    Can you share a snapshot of the NAT rule that is configured. Also take a tcpdump on the source IP from where you're trying to access Port 2083 on the public IP.

    • tcpdump -nei any host x.x.x.x (where x.x.x.x is the source machine's public IP)

    Also, try to check packetfilter.log --> tail -f /var/log/packetfilter.log | grep -i x.x.x.x (x.x.x.x is source public IP) and then try to access the port on public IP.

    Ensure that Log Initial packets is enabled in the NAT rule.

  • 0

    Hallo Arnold,

    As Devish requested, a picture of the Edit of the rule is more likely to help us help you.

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the full log line corresponding to the one above.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.  Devish's elegant Linux command will get such a line for you if you do the new attempt he suggests.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML