Let's Encrypt - Default Drop when NAT to internal

Question

We recently changed ISPs and I haven't been able to renew the Let's Encrypt cert for UTM sophos.mydomain.com... i cloned all the rules and added new interfaces and the migration to new ISP went flawless. 
 
 I have a NAT rule I turn on when it's time to renew the LE cert: 
 
 DNAT [Sophos SSL Let's Encrypt Renewals] 
 Traffic selector: Any &rarr; HTTP (80) &rarr; External [Sophos] (Address) 
 Destination translation: Internal (Address) 
 Automatic Firewall rule: Checked 
 
 Using Port Query, I can see It is applying NAT to the External IP, however it is dropping access to the internal destination on port 80.

14:41:29

NAT rule #1

TCP

My.remote.IP

:

10664

&rarr;

External [Sophos] (Address)

:

80

[SYN]

len=52

ttl=115

tos=0x00

14:41:29

Default DROP

TCP

My.remote.IP

:

10664

&rarr;

192.168.1.1

:

80

[SYN]

len=52

ttl=115

tos=0x00

Any idea why it would be dropping the internal address? 
 Sophos UTM 9.703-3 
 
 Appreciate the help!

samson b · Accepted Answer

Thanks for your response! It actually made me think about it and I realized I made a stupid mistake. It has been awhile and I forgot the LE cert was bound to a specific interface. 
 The old LE cert had the old interface specified. I'm not sure how I missed that. It's kind of like when I can't find that thing in the drawer and it's right in front of my face! 
 I simply needed to create a new LE cert on the new, correct interface, changed cert settings under WebAdmin and User Portal, and delete the old one.

Let's Encrypt - Default Drop when NAT to internal

Top Replies