DNAT is not working for Public IP aliases

Can you share a screenshot? 

Sure, IP and Aliases

Business Rule:

 All Rules:

Thank you in advance,

Looks like this Rule hits but does not work at all. 

Could be a Issue with the Server behind XG.

Would suggest to dump this traffic.

https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

Another approach is to enable MASQ on this Rule and check, if it is working. 

Tried all except the dump

Both servers are accessible locally on the network with firewall down and up (windows machines)

There is something Wired with Xg when I worked with it before (installed on HP server) way more better!!

I Don't understand what are they trying to Achieve with this turn around!

The attempts are not even being logged though all rules has log checked.

I honestly never have issues with DNAT right now. 

But maybe there is something wrong with your DNAT in the current stage. If the Rule is not hitting and no Logging is done, most likely it does not match the traffic.

So i would recommend to perform a Dump of your traffic and check, if it is matching or not. 

Hi Toni,

tcpdump -i Port2 -n host 197.X.X.X3 -X -w /tmp/log.pcap -b

Dump had only "ò?^B^@^D^@^@^@^@^@^@^@^@^@`^@^@^@^A^@^@^@"

After trying to access the webserver from http://anonymouse.org ,https://ping.eu and of course my phones and tablet with different operators.

Note that they were working fine with Cyberoam and even I tested with standard router.

 I Still don't get it! I even created a Rule LAN*.*WAN WAN*.*LAN

sometimes I'm noticing rule 0 which does not exist, but never the less the IPs and connection tyoe has nothing to do with my issue.

Anything you can advise on would be appreciated.

Try the tcpdump command without logging into file.

tcpdump -ni Port2 host 197.   

Then Access the page via Mobile phone and check the dump.

You can share the screenshot with us.

Basically you should see a TCP Handshake. 

Sadly Nothing!

Tired from different sources

So basically there is no traffic matching those conditions. 

Tcpdump is the "nearest" approach to the interface. In fact XG OS (SFOS) cannot block or do anything on this level. It is Layer 1/2. 

Maybe you filter are not matching.

Port2 is your WAN interface and Host is your WAN IP ? 

Port2 is my WAN used for browsing and VPN etc...

Port2:2 (Alias from the range /29) is pointing is the one being used in the rule to point to the server on the LAN segment

I even used the Port forwarding method for RDP on the main WAN IP
WAN RDP to Local IP RDP ... also nothing.

Do yo think changing the subnet to /32 for aliases will help?

I do not think, this will help.

You should see the traffic incoming in a Dump.

As mentioned earlier, this is the lowest level of communication. 

If you do not see the traffic hitting on those criteria, there is something wrong in the configuration between XG and your ISP. 

If you perform a tcpdump -ni any host IP  you should at least see something. 

If not, the traffic is not hitting XG.

Even if you did a mistake in the interface configuration, something should be seen in this Dump. 

Another issue could be the ARP Communication, but i would suggest to dig deeper in this scenario explained above. 

I would look into the ARP Communication as well, I had a similar issue with my deployment where the modem and actually the switches internally did not clear out the MAC address of the old firewall, so the IP's matched up but didn't get through the modem due to the MAC address, once I figured that out I had the same issue with the switches.

Might not be same case here but figured I would share just in case.

I would look into the ARP Communication as well, I had a similar issue with my deployment where the modem and actually the switches internally did not clear out the MAC address of the old firewall, so the IP's matched up but didn't get through the modem due to the MAC address, once I figured that out I had the same issue with the switches.

Might not be same case here but figured I would share just in case.

Thank you for your reply Badrobot. Its a fresh installation the ARP is clean.

 The modem is brand new as well?  Or just the XG?

NSG was not the problem it was from ISP IP configuration

Thank you for all the help