Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 15255 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hairpin routing NAT

timdoty17545
I'm hairpin routeing off my Internal interface between 2 subnets and can ping but not RDP.  When I RDP from 10.10.39.138 t0 192.168.25.21 I only see return traffic in the logs.

13:51:45         Suspicious TCP state          TCP          192.168.25.21:51485→ 10.10.39.138:52438          [ACK RST]          len=40          ttl=127          tos=0x00          srcmac=00:03:47:71:5d:3d          dstmac=00:15:17:24:aa:30    

Any suggestions?  Something with nat perhaps?


This thread was automatically locked due to age.
Parents
  • 0
    Hi, Tim, and welcome to the User BB!

    Alone among Live Logs, the Firewall Live Log presents limited information in a more-readable format.  It's not much good for analysis though, so please post the same line from the full log file.

    If you have a NAT rule for this, please [Go Advanced] below and attach a picture of it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Hi, Tim, and welcome to the User BB!

    Alone among Live Logs, the Firewall Live Log presents limited information in a more-readable format.  It's not much good for analysis though, so please post the same line from the full log file.

    If you have a NAT rule for this, please [Go Advanced] below and attach a picture of it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    There is no nat rule for this, although I'm sure I need one.

    2013:06:11-08:21:13 fwall ulogd[3368]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" seq="0" initf="eth0" outitf="eth0" dstmac="00:15:17:24:aa:30" srcmac="00:03:47:71:5d:3d" srcip="192.168.25.21" dstip="10.10.39.138" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="3389" dstport="51503" tcpflags="ACK SYN" 

    2013:06:11-08:21:15 fwall ulogd[3368]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" seq="0" initf="eth0" outitf="eth0" dstmac="00:15:17:24:aa:30" srcmac="00:03:47:71:5d:3d" srcip="192.168.25.21" dstip="10.10.39.138" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="3389" dstport="51503" tcpflags="ACK SYN" 

    2013:06:11-08:21:23 fwall ulogd[3368]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" seq="0" initf="eth0" outitf="eth0" dstmac="00:15:17:24:aa:30" srcmac="00:03:47:71:5d:3d" srcip="192.168.25.21" dstip="10.10.39.138" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="3389" dstport="51503" tcpflags="ACK SYN"
Unfiltered HTML