This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't connect to port 143 on external host

Hi all,

 

I have a Sophos XG with SFOS 17.5.8 MR-8, and everything is by default.

I have one nat rule to all hosts/ports to go out to the wan.

My issue is that I have a internal host, an IOT device, that needs to communicate with port 143 on the wan and its not able to, I see the package being accepted on the logs but no reply from target. Checked With tcpdump on other host trying telnet to the same target and no replies are getting in.

Tested without Sophos and it works. I can't see any traffic being denied anywhere.

How can I find in which layer it's being rejected?

Thanks



This thread was automatically locked due to age.
  • Hi  

    Please check which IP has been assigned to IoT device and follow the below steps.

    1. Create a Source IP based firewall rule and do not apply any scanning and allow all the traffic and check, please put the rule on top. 

    2. Now replicate the scenario and apply policies and scanning to the same firewall rule we have created above and check the traffic.

    3. Capture drop packets- https://community.sophos.com/kb/en-us/127111

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Keyur,

     

    Just did what you said, created a firewall rule

    drop-packet-capture 'host "IP"' shows nothing

    Firewall log:

    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="185" fw_rule_id="15" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="PortA" out_interface="PortB" src_mac="00:00:00:00:00:00" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="yyy.yyy.yyy.yyy" dst_country="ITA" protocol="TCP" src_port="53598" dst_port="143" packets_sent="7" packets_received="0" bytes_sent="420" bytes_received="0" src_trans_ip="zzz.zzz.zzz.zzz" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1825802392" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

     

    And I can't connect.

     

    Thanks

  • Hi,

    port 143 is mail port, you don't have mail scanning enabled on an earlier firewall rule do you?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi Ian,

     

    To avoid that issues I created this as the first rule, I've also looked into mail stuff and I can't find any enabled rule/policy.

    So problem still here.

     

    I would really like that there would be a log for all denied packages, or some king of real time testing that would show all chain and where the block is. Kind of a system wide drop-packet-capture.

     

    Thanks

  • Hi,

    inn logviewer set a filter for rule 15 and see what entries there are when you try to connect.

    Have you disabled rule 0 capture of no connection entries?

    Also change your source network to any during the testing.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi Ian,

     

    Log viewer filter for rule 15 only shows accepts, not even one deny.

    Source network is ANY ando no change to the result.

    Sorry, how do yo edit rule 0?

     

    Thanks

  • Hi,

    you can't edit rule 0, just stop it recording all unassociated packets.

    Does your device get a DHCP assigned address or is it fixed, so check your gateway configuration  and netmask on the device.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi,

     

    Replaced Sophos XG with another (not XG) FW and it works, so looks like there's something blocking the traffic in XG.

    Thanks anyway.

  • What you are saying is there is something wrong with the XG interface because you are not seeing the traffic hit the XG, so, check the XG LAN interface is set to auto negotiate.

    Are you using DHCP and do you see an address being allocated in the XG DHCP server. What is the address of you IoT device. gateway settings etc?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I just use XG as internet gateway, all other services are external, DNS, DHCP...

    What I did was replace XG (virtual) with other FW (virtual) using the same IP so there wouldn't be any logical changes, and it worked.

     

    TGR