Windows AD at AWS and On-Premise XG

You can delete this rule with set advanced-firewall cr-traffic-nat del destination <Destination IP/Network> snatip <NATed IP>

If ping is possible, could be a Firewall issue. Did you check both appliances via tcpdump? You wont see the outgoing traffic but incoming.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

HI,

17.1.1 MR-1# tcpdump -ni any host 172.30.0.103 and port 636     
tcpdump: Starting Packet Dump                                                   
23:42:33.483198 lo, IN: IP 172.30.0.103.636 > 169.254.234.5.51841: Flags [R.], s
eq 0, ack 2466481052, win 0, length 0                                           
23:43:38.925909 lo, IN: IP 172.30.0.103.636 > 169.254.234.5.51912: Flags [R.], s
eq 0, ack 2925865509, win 0, length 0   

i am confused. 

Can you explain your network, the ipsec tunnel, the ips etc? Where did you perform this dump? 

Hi,

This tcpdump was donde from XG device. 172.30.0.103 is DC... and 169..... I think is the ipsec local IP

Still confused. Which XG? As mention before, i except you have 2 XGs? 

172.30.0.103 is the AD in AWS. So you perform a access from XG on prem to AD AWS through XG in AWS? 

As far as i can tell from this little information, the NAT is not correct.

your AD Server is refusing the packets because it is a link local address, not a IPsec Address out of the tunnel. 

You used 

172.30.0.103            255.255.255.0                           192.168.157.70           

What is 192.168.157.70? Is this address public for the AD?                                               

Hi,

Yes, 2 XG active/passive.

Yes, from on-prem XG 192.168.157.70 to AWS AD 172.30.0.103

Then, what should be the correct NAT rule?

regards

Can you please explain your Network in more detail? 

Can you join a linux server to AWS hosted AD domain? (not EC2 AD, not on premise AD). And leverage group policy to push to the linux servers?

Hi,

What do you want to know?

I cannot help you at the moment, because i do not understand, what you do. 

You have two Appliances in A-P on Premise. 

You have a Ipsec tunnel to AWS? Can you show me the config of this ipsec tunnel? Do you perform the correct routing to this tunnel?

Can the AD talk to the XG Lan interface? 

We are lacking much information about your setup. 

I cannot help you at the moment, because i do not understand, what you do. 

You have two Appliances in A-P on Premise. 

You have a Ipsec tunnel to AWS? Can you show me the config of this ipsec tunnel? Do you perform the correct routing to this tunnel?

Can the AD talk to the XG Lan interface? 

We are lacking much information about your setup. 

Hi,

Yes,  there is an Ipsec Tunnel between the XG Cluster and AWS.

How could I get info about the tunnel using CLI?

Yes, I can ping and telnet from AD 172.30.0.130 to XG cluster at 192.168.157.70

Hi,

At routing table:

 but i can not see this interface when ran shwo network interfaces

172.30.0.103    *               255.255.255.255 UH    0      0        0 ipsec0

Ok. 

Did you perform both commands like in the KBA? 

https://community.sophos.com/kb/en-us/123334

And did you already delete the other Route? 

And i am kinda confused about your Ipsec Tunnel config because there is no listing interface on xg? 

And is there are reason for you to use ANY as local gateway? Seems like not good to use, instead use the "real" networks in your env.

Hi,

In my first post I included this post.... one doubt, how to delete all of those NAT policy routes? including "no" like cisco devices?

Regards

As mention before, just replace add with del in the same command.

But please open a support case, i am not able to troubleshoot this via forum. 

Hi,

I opened a ticket some week ago to spanish support and told me ast week they could continue  because devices are working fine.

Hi,

I used

onsole> set advanced-firewall sys-traffic-nat del destination 172.30.0.103 snat
ip 192.168.157.70  

 but rule is still there.