Thread Info
  • Locked Locked
  • Replies 17 replies
  • Subscribers 5 subscribers
  • Views 3566 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External and internal NAT for different ports

Matthias Roth1

Hello guys,

I am trying to create a DNAT rule for a server based in a DMZ network. We have a wifi controller in the DMZ where Access Points from different onsite and offsite locations connect to through two different ports over WAN. I managed that with a DNAT rule from external and a dns entry on our domain controller which points to the public ip in the DMZ (works fine).

Now we got the requirement that the web ui port 8443 is only accessable by the internal network and not external. But the port seems to be blocked (default drop if I read the logs). I tried now everything I can imagine with Full Nat/DNAT and firewall rules. It seems like he doesn't use the NAT rules because in the logs the default drops says source internal server ip from where I tested it and destination is the public ip (where normally the DMZ server address should be).

Have you guys an idea?

Thanks in advance.

Kind regards,

Matthias



This thread was automatically locked due to age.
  • in reply to Matthias Roth1

    OK, I see. I can only think of a provider, that blocks "unusual" ports like 8443...

    Anybody else has an idea?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to PhilippRusch

    Hello Philipp,

    here is the screenshot: 

    Thanks in advance.

    Kind regards,

    Matthias

  • in reply to Matthias Roth1

    Helo Matthias,

    again: Can you please check your settings.or post an (edited) screenshot of "Management/User Portal/Advanced/Network settings" ?

    You can't test with telnet, if the service is using SSL-encryption.

    And, believe me: these "web-service" ports are active on every additional addresses, when you allow that HW-interface for access.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to PhilippRusch

    Hello Philipp,

    I double checked it. We use port 55555 for web admin, port 4446 for userportal and 443 for ssl vpn. Yes, the static ip addresses are setup with "additional addresses". But why should a port that we use on one of these addresses also be used on the other ones? We choose the different interface addresses for the services like for ssl vpn we use "WAN .147" because it is 443 and we use it with other addresses too (for other services).

    I also checked it with telnet. It can't connect with 8443 which means there is nothing configured or?

    Here are the screenshots: 

    Kind regards,

    Matthias

  • in reply to Matthias Roth1

    Hello Matthias,

    I am not quite sure about this, if I got it right...

    Can you check your settings.or post an (edited) screenshot of "Management/User Portal/Advanced/Network settings" ?

    Or maybe you use this port for SSL-VPN?

    Info: If you have one physical LAN-port going to "WAN" and your "range of static ipv4 addresses" is setup with "additional addresses", then a port you use for one of these services is in use on ANY of these additional ip addresses as well.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to PhilippRusch

    Hello Philipp,

    thanks for your answer. I can confirm that the port is not in use. We have a range of static ipv4 addresses and the one I used for the wifi controller isn't in use for anything except the two ports I mentioned.

    Kind regards,

    Matthias

  • Hello Matthias,

    spontaneous idea: the port is used by one of the (web-) services on the firewall itself.

    I usually use 8443 for "User-Portal", can you check this?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML