This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT and loopback issue - some IPs work but some don't

Hi everyone,

I am migrating my setup from Sophos UTM to Sophos Firewall XG and I've come across this strange issue with my config that I cannot figure out. Hopefully it shouldn't be a difficult one to track down. I've set-up a DNAT for port 22 and 993 (SSH and secure IMAP respectively) using the Server Access Assistant. The assistant also created the reflexive and loopback rules. I can access the IMAP server from outside just fine, no issues. As a background, the firewall has one static public IP and connections to port 993 are routed to the internal server. The internal network has multiple servers, say server 1 to 5. I can access the IMAP server from all the internal servers using the public IP apart from ONE specific server, let's call this server server 3. For this one server I have another DNAT rule (including reflexive and loopback) for port 80 i.e. incoming connections to port 80 are routed to that server. All internal servers have access to port 80 via the public IP.

From server 3 I cannot access port 993 via the public IP. I can however access port 22 from the public IP. I don't understand why is that the case. I have no other strange firewall rules that might be getting in the way and I don't see what makes server 3 special in this regard compared to servers 1, 2, 4 and 5. Any help would be much appreciated.

Thank you!

This thread was automatically locked due to age.

0 FormerMember over 3 years ago
Hi NikolaosBeglitis,

Thank you for reaching out to the Community!

When you try to access server 3, take a packet capture on the source public IP address and share it with us.

Sophos Firewall: How to monitor packet flow using the command line interface

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 NikolaosBeglitis over 3 years ago in reply to FormerMember

Here is a screenshot. Apparently it violates some sort of local ACL although I am not sure which one (checked in Device Access) and why it applies to that host only!
Cancel
Vote Up 0 Vote Down

Cancel
0 NikolaosBeglitis over 3 years ago in reply to FormerMember

Hi, any hints on this or how could I go about investigating it further? Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to NikolaosBeglitis

Hi NikolaosBeglitis,

Thank you for sharing a screenshot of the packet capture. It looks like there is no matching firewall for this traffic.

Please post a screenshot of your firewall rules.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 NikolaosBeglitis over 3 years ago in reply to FormerMember

There is the auto-generated rule from creating the DNAT via the assistant. Notice that SSH for example works fine. I don't see any other rules that might be getting in the way. Also notice that other internal hosts can get to IMAPS via the public IP and I don't see anything special about this host.
Cancel
Vote Up 0 Vote Down

Cancel
0 NikolaosBeglitis over 3 years ago in reply to FormerMember

Still not sure what is going on, there is a loopback rule for this that should take care of it. It is the same for all the other services and internal hosts, from IP 192.168.10.10 I can telnet the public IP at 993 and it will work fine but it won't work for IP 192.168.10.11. However from 192.168.10.11 I can telnet 22 or 80 the public IP and the port forwarding to the internal server will work just fine! Is port 993 special?
Cancel
Vote Up 0 Vote Down

Cancel
0 NikolaosBeglitis over 3 years ago

Bumping this since I still haven't figured it out. Any help would be much appreciated.
Cancel
Vote Up 0 Vote Down

Cancel