This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows AD at AWS and On-Premise XG

Hi,

My enviroment:

XG Cluster On-Premise and IPsec tunnel to AWS where is located AD. Local XG console can ping DC but can not telnet to 389 or 636.

XG IP: 192.168.157.70

DC 172.30.0.103

I added thos rule:

onsole> show advanced-firewall                                                 
        Strict Policy                           : on                            
        FtpBounce Prevention                    : control                       
        Tcp Conn. Establishment Idle Timeout    : 10800                         
        UDP Timeout Stream                      : 60                            
        Fragmented Traffic Policy               : allow                         
        Midstream Connection Pickup             : off                           
        TCP Seq Checking                        : on                            
        TCP Window Scaling                      : on                            
        TCP Appropriate Byte Count              : on                            
        TCP Selective Acknowledgements          : on                            
        TCP Forward RTO-Recovery[F-RTO]         : off                           
        TCP TIMESTAMPS                          : off                           
        Strict ICMP Tracking                    : off                           
        ICMP Error Message                      : allow                         
        IPv6 Unknown Extension Header           : deny                          
                                                                                
                                                                                
        Bypass Stateful Firewall                                                
        ------------------------                                                
         Source              Genmask             Destination         Genmask    
                                                                                
                                                                                
        NAT policy for system originated traffic                                
        ---------------------                                                   
        Destination Network     Destination Netmask     Interface       SNAT IP 
        172.30.0.103            255.255.255.0                           192.168.
157.70                                                                          
        172.30.0.103            255.255.255.255                         192.168.
157.70

First question. NAT policy twice? how to delete one.

And also followed this link : https://community.sophos.com/kb/en-us/123334

But still having problems. AWS tunnel is UP all allk ports allowed

Any idea?

Regards

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 6 years ago

You can delete this rule with set advanced-firewall cr-traffic-nat del destination <Destination IP/Network> snatip <NATed IP>

If ping is possible, could be a Firewall issue. Did you check both appliances via tcpdump? You wont see the outgoing traffic but incoming.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg
Cancel
Vote Up 0 Vote Down

Cancel

0 Edgar_Quintana over 6 years ago in reply to LuCar Toni

HI,

17.1.1 MR-1# tcpdump -ni any host 172.30.0.103 and port 636     
tcpdump: Starting Packet Dump                                                   
23:42:33.483198 lo, IN: IP 172.30.0.103.636 > 169.254.234.5.51841: Flags [R.], s
eq 0, ack 2466481052, win 0, length 0                                           
23:43:38.925909 lo, IN: IP 172.30.0.103.636 > 169.254.234.5.51912: Flags [R.], s
eq 0, ack 2925865509, win 0, length 0

0 LuCar Toni over 6 years ago in reply to Edgar_Quintana
Still confused. Which XG? As mention before, i except you have 2 XGs?

172.30.0.103 is the AD in AWS. So you perform a access from XG on prem to AD AWS through XG in AWS?

As far as i can tell from this little information, the NAT is not correct.

your AD Server is refusing the packets because it is a link local address, not a IPsec Address out of the tunnel.

You used

172.30.0.103 255.255.255.0 192.168.157.70

What is 192.168.157.70? Is this address public for the AD?
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 6 years ago in reply to LuCar Toni

Hi,

Yes, 2 XG active/passive.

Yes, from on-prem XG 192.168.157.70 to AWS AD 172.30.0.103

Then, what should be the correct NAT rule?

regards
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Edgar_Quintana

Can you please explain your Network in more detail?
Cancel
Vote Up 0 Vote Down

Cancel
0 saliko hamido over 6 years ago in reply to LuCar Toni

Can you join a linux server to AWS hosted AD domain? (not EC2 AD, not on premise AD). And leverage group policy to push to the linux servers?
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 6 years ago in reply to LuCar Toni

Hi,

What do you want to know?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Edgar_Quintana

I cannot help you at the moment, because i do not understand, what you do.

You have two Appliances in A-P on Premise.

You have a Ipsec tunnel to AWS? Can you show me the config of this ipsec tunnel? Do you perform the correct routing to this tunnel?

Can the AD talk to the XG Lan interface?

We are lacking much information about your setup.
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 6 years ago in reply to LuCar Toni

Hi,

Yes, there is an Ipsec Tunnel between the XG Cluster and AWS.

How could I get info about the tunnel using CLI?

Yes, I can ping and telnet from AD 172.30.0.130 to XG cluster at 192.168.157.70
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 6 years ago in reply to Edgar_Quintana
Hi,

At routing table:

but i can not see this interface when ran shwo network interfaces

172.30.0.103 * 255.255.255.255 UH 0 0 0 ipsec0
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Edgar_Quintana

Ok.

Did you perform both commands like in the KBA?

https://community.sophos.com/kb/en-us/123334

And did you already delete the other Route?

And i am kinda confused about your Ipsec Tunnel config because there is no listing interface on xg?

And is there are reason for you to use ANY as local gateway? Seems like not good to use, instead use the "real" networks in your env.
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 6 years ago in reply to LuCar Toni

Hi,

In my first post I included this post.... one doubt, how to delete all of those NAT policy routes? including "no" like cisco devices?

Regards
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Edgar_Quintana over 6 years ago in reply to LuCar Toni

Hi,

In my first post I included this post.... one doubt, how to delete all of those NAT policy routes? including "no" like cisco devices?

Regards
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 6 years ago in reply to Edgar_Quintana

As mention before, just replace add with del in the same command.

But please open a support case, i am not able to troubleshoot this via forum.
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 6 years ago in reply to LuCar Toni

Hi,

I opened a ticket some week ago to spanish support and told me ast week they could continue because devices are working fine.
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 6 years ago in reply to Edgar_Quintana
Hi,

I used

onsole> set advanced-firewall sys-traffic-nat del destination 172.30.0.103 snat ip 192.168.157.70

but rule is still there.
Cancel
Vote Up 0 Vote Down

Cancel