External access from DMZ

Maybe this will point you in the right direction

https://community.sophos.com/kb/en-us/115191

Hi,

looks like the firewall rule is not matching.

Is the subnet 192.168.20.xx your "WAN" subnet? If yes, you don't need MASQ because you can route between this subnets with the UTM.

Please post a screenshot of your interfaces and the firewall rule. It will help us to help you.

Jas

192.168.2.x network is located within WAN-Subnet?

please post the MASQ and Firewall-rule.

"I have created a MASQ rule DMZ to WAN."

I don't understand how that relates to accessing the Internal network from the DMZ.

"Also created firewal rule DMZ -> any service to WAN."

Please insert a picture of this rule open in Edit.  Again, I don't understand how that relates to accessing the Internal network from the DMZ.

Cheers - Bob

Hello All,

Thank you fro quick reply.

What I wanted to do is, my server in DMZ must be able to access a dedicated server in WAN side.

Simply speaking 10.10.10.15->any port-> 192.168.20.254-> port 80

My WAN subnet = 192.168.20.0/24

My Internal Subnet = 192.168.1.0/24

My DMZ Subnet = 10.10.10.0/24

DMZ-metas is 10.10.10.15 ?

.. your first post shows 10.10.10.4 dropped.

As Dirk points out below, I wasn't "seeing" the topology.  Jacob's #15 is correct as written.

Firewall rule 15 should have a Traffic Selector of 'DMZ-metas -> Any -> Internet'.

Cheers - Bob

Hi Jenson,

You need a Full NAT to reach the server. Can you configure a Full NAT policy referring the suggested KBA by rsenio in the first answer to this question. Show us the screenshots after configuring it.

Thanks

Hi Bob,

the destination server (192.168.20.21) reside within Subnet "external (WAN) Network" (192.168.20.0/24) 

So the destination of this rule should be OK ... i think ... i am false?

Hi sachingurung,

I don#t understand why full-nat should be necessary.

Can you give me some hints please?

Thanks