This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows AD at AWS and On-Premise XG

Hi,

My enviroment:

XG Cluster On-Premise and IPsec tunnel to AWS where is located AD. Local XG console can ping DC but can not telnet to 389 or 636.

XG IP: 192.168.157.70

DC 172.30.0.103

I added thos rule:

onsole> show advanced-firewall                                                 
        Strict Policy                           : on                            
        FtpBounce Prevention                    : control                       
        Tcp Conn. Establishment Idle Timeout    : 10800                         
        UDP Timeout Stream                      : 60                            
        Fragmented Traffic Policy               : allow                         
        Midstream Connection Pickup             : off                           
        TCP Seq Checking                        : on                            
        TCP Window Scaling                      : on                            
        TCP Appropriate Byte Count              : on                            
        TCP Selective Acknowledgements          : on                            
        TCP Forward RTO-Recovery[F-RTO]         : off                           
        TCP TIMESTAMPS                          : off                           
        Strict ICMP Tracking                    : off                           
        ICMP Error Message                      : allow                         
        IPv6 Unknown Extension Header           : deny                          
                                                                                
                                                                                
        Bypass Stateful Firewall                                                
        ------------------------                                                
         Source              Genmask             Destination         Genmask    
                                                                                
                                                                                
        NAT policy for system originated traffic                                
        ---------------------                                                   
        Destination Network     Destination Netmask     Interface       SNAT IP 
        172.30.0.103            255.255.255.0                           192.168.
157.70                                                                          
        172.30.0.103            255.255.255.255                         192.168.
157.70

First question. NAT policy twice? how to delete one.

And also followed this link : https://community.sophos.com/kb/en-us/123334

But still having problems. AWS tunnel is UP all allk ports allowed

Any idea?

Regards

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 7 years ago

You can delete this rule with set advanced-firewall cr-traffic-nat del destination <Destination IP/Network> snatip <NATed IP>

If ping is possible, could be a Firewall issue. Did you check both appliances via tcpdump? You wont see the outgoing traffic but incoming.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 7 years ago

You can delete this rule with set advanced-firewall cr-traffic-nat del destination <Destination IP/Network> snatip <NATed IP>

If ping is possible, could be a Firewall issue. Did you check both appliances via tcpdump? You wont see the outgoing traffic but incoming.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Edgar_Quintana over 7 years ago in reply to LuCar Toni

HI,

17.1.1 MR-1# tcpdump -ni any host 172.30.0.103 and port 636     
tcpdump: Starting Packet Dump                                                   
23:42:33.483198 lo, IN: IP 172.30.0.103.636 > 169.254.234.5.51841: Flags [R.], s
eq 0, ack 2466481052, win 0, length 0                                           
23:43:38.925909 lo, IN: IP 172.30.0.103.636 > 169.254.234.5.51912: Flags [R.], s
eq 0, ack 2925865509, win 0, length 0

0 LuCar Toni over 7 years ago in reply to Edgar_Quintana

i am confused.

Can you explain your network, the ipsec tunnel, the ips etc? Where did you perform this dump?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 7 years ago in reply to LuCar Toni

Hi,

This tcpdump was donde from XG device. 172.30.0.103 is DC... and 169..... I think is the ipsec local IP
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Edgar_Quintana
Still confused. Which XG? As mention before, i except you have 2 XGs?

172.30.0.103 is the AD in AWS. So you perform a access from XG on prem to AD AWS through XG in AWS?

As far as i can tell from this little information, the NAT is not correct.

your AD Server is refusing the packets because it is a link local address, not a IPsec Address out of the tunnel.

You used

172.30.0.103 255.255.255.0 192.168.157.70

What is 192.168.157.70? Is this address public for the AD?
__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 7 years ago in reply to LuCar Toni

Hi,

Yes, 2 XG active/passive.

Yes, from on-prem XG 192.168.157.70 to AWS AD 172.30.0.103

Then, what should be the correct NAT rule?

regards
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Edgar_Quintana

Can you please explain your Network in more detail?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 saliko hamido over 7 years ago in reply to LuCar Toni

Can you join a linux server to AWS hosted AD domain? (not EC2 AD, not on premise AD). And leverage group policy to push to the linux servers?
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 7 years ago in reply to LuCar Toni

Hi,

What do you want to know?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Edgar_Quintana

I cannot help you at the moment, because i do not understand, what you do.

You have two Appliances in A-P on Premise.

You have a Ipsec tunnel to AWS? Can you show me the config of this ipsec tunnel? Do you perform the correct routing to this tunnel?

Can the AD talk to the XG Lan interface?

We are lacking much information about your setup.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 7 years ago in reply to LuCar Toni

Hi,

Yes, there is an Ipsec Tunnel between the XG Cluster and AWS.

How could I get info about the tunnel using CLI?

Yes, I can ping and telnet from AD 172.30.0.130 to XG cluster at 192.168.157.70
Cancel
Vote Up 0 Vote Down

Cancel