Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 4184 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port forward from WAN to VPN zone not working

S248

I have set up a port forward coming in to an XG firewall (site A) where the port forward needs to arrive at a server on another XG firewall (site b) via XG IPSec site to site VPN. These are the settings:

Source zone: WAN

Allowed client networks: Any

Blocked client networks: empty

 

Destination: Alias IP on Port 2 WAN

Services: HTTPS

Protected server: servername (servername is hosted at site b which is on the other side of a site to site IPSec VPN)

Mapped port: 443

Protected zone: VPN

 

When i browse from the internet to https://aliasip it eventually times out. I can successfully browse to https://servername from site A. A TCPDUMP on the firewall at site A shows my requests are reaching the XG firewall on the correct IP address and port and shows it is then trying to send me to servername. A TCPDUMP on site B XG firewall does not show any attempts come inbound. 

I have tried configuring mss clamping using this command in advanced shell: iptables -t mangle -I POSTROUTING -d servername -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300

however no difference.

It seems to me the packets are not traversing the site to site VPN and may be stuck on site A XG firewall.

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Have you tried two things?

    1. Add a Static Route on the VPN tunnel for the server. 

    2. Here, NAT must be enabled on the Business policy / WAN IP (Alias IP on Port 2 WAN) must allow on the VPN.

  • 0 in reply to Deepak Verma

    What are the configuration steps to route to the server over VPN? Aren't the routes automatically out into XG routing table when the VPN establishes? I can already reach the server from the LAN zone fine.

  • +1 in reply to S248

    Option 1: Yes you are right that Route must be added automatically and it is happening but I noticed same many times that port forwarding and traffic redirection is not working with auto-added route by the VPN itself.  This is not an issue with an appliance but Sophos itself is saying that if traffic is generating from the SOPHOS or NATing then check your route on the IPSec VPN. You can add a route on the VPN as 

    1. console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>

    Option 2: Share your NATing configuration and output from both firewalls

    1. tcpdump "host <Server IP address Local>.

    2. drop-packet-capture 'host <ipaddress>'

    Try to minimize the session during the Tshoot. So we can understand easily. 

  • 0 in reply to Deepak Verma

    Adding the route under the console worked. I also had to enable source NAT to translate the source address to an address on site A LAN.

  • 0 in reply to S248

    Hi,

    I feel happy to hear that my resolution has worked for you.

Reply Children
No Data