I have tried the following scenario by building the DNAT rule and Firewall rule manually. And I have tried using the "assistant." Neither work. I would appreciate if someone could take a look at this scenario for me since the support portal is still down. XG Firewall release 18.0.3 MR-3 Scenario: I need to allow 1 public IP address to connect to one of our external IPs on port 389 to do a LDAP query on an internal LDAP server. Only that single server will be permitted to make the connection. Here's what I have tried: Server Access Assistant method: Create a host object for the internal LDAP server Create a service item "AD_389" using port 389 Create a host object for the external address where the request will come from Test to make sure server is listening on the port, which of course it is Rules and Policies > Firewall Rules > Add Firewall Rule > Server access assistant Internal Server IP address > Choose the host object from step 1, Next Public IP Address > Choose the one on Port2 (although I have also tried Port2:0 to try a different address), Next Services > Add new item, select the service created in Step 2, Next External Source Networks and Devices > Choose the host object from Step 3, Next Review the selections. Everything is correct. The summary says it will create two NAT rules: Inbound (DNAT) - traffic to the external address assigned to Port 2 will be translated to the internal server IP. Outbound (SNAT) masquerades outbound traffic from the internal server's address to the external Port 2 interface address. Then it says it will create one firewall rule, which will allow access to the internal server on port 389 from the host that will be allowed to query LDAP. After this was done I edited the firewall rule to enable logging and saved it. Then I logged into the remote server and tried to telnet on port 389 to the external IP on Port2. Nothing. Won't connect, and nothing is logged. I then tried the manual method. I deleted what the server assistant had created, created the DNAT rule, and then the firewall rule by matching all of the settings (adjusting for IPs and Ports) of an existing rule that works. Still no connection and nothing showing up in the logs. I'm sure most of you have figured out how to do the things that used to be so easy in previous releases but I haven't. If I knew the XG (and specifically v18) would be this complicated I would have switched to something else. Countless hours have been wasted migrating from our old UTM. Anyway, I'm stuck with it, so any help you can provide will be greatly appreciated. Thanks

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Simple DNAT/Firewall rules not working

I have tried the following scenario by building the DNAT rule and Firewall rule manually. And I have tried using the "assistant." Neither work. I would appreciate if someone could take a look at this scenario for me since the support portal is still down.

XG Firewall release 18.0.3 MR-3

Scenario: I need to allow 1 public IP address to connect to one of our external IPs on port 389 to do a LDAP query on an internal LDAP server. Only that single server will be permitted to make the connection. Here's what I have tried:

Server Access Assistant method:

Create a host object for the internal LDAP server
Create a service item "AD_389" using port 389
Create a host object for the external address where the request will come from
Test to make sure server is listening on the port, which of course it is
Rules and Policies > Firewall Rules > Add Firewall Rule > Server access assistant
Internal Server IP address > Choose the host object from step 1, Next
Public IP Address > Choose the one on Port2 (although I have also tried Port2:0 to try a different address), Next
Services > Add new item, select the service created in Step 2, Next
External Source Networks and Devices > Choose the host object from Step 3, Next
Review the selections. Everything is correct. The summary says it will create two NAT rules: Inbound (DNAT) - traffic to the external address assigned to Port 2 will be translated to the internal server IP. Outbound (SNAT) masquerades outbound traffic from the internal server's address to the external Port 2 interface address. Then it says it will create one firewall rule, which will allow access to the internal server on port 389 from the host that will be allowed to query LDAP.

After this was done I edited the firewall rule to enable logging and saved it.

Then I logged into the remote server and tried to telnet on port 389 to the external IP on Port2. Nothing. Won't connect, and nothing is logged.

I then tried the manual method. I deleted what the server assistant had created, created the DNAT rule, and then the firewall rule by matching all of the settings (adjusting for IPs and Ports) of an existing rule that works. Still no connection and nothing showing up in the logs.

I'm sure most of you have figured out how to do the things that used to be so easy in previous releases but I haven't. If I knew the XG (and specifically v18) would be this complicated I would have switched to something else. Countless hours have been wasted migrating from our old UTM. Anyway, I'm stuck with it, so any help you can provide will be greatly appreciated.

Thanks

This thread was automatically locked due to age.

Parents

0 emmosophos over 4 years ago

Hello there,

Thank you for contacting the Sophos Community!

Additionally to what Luca mentioned, can you provide also a screenshot of the Service item you created "AD_389"

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 emmosophos over 4 years ago

Hello there,

Thank you for contacting the Sophos Community!

Additionally to what Luca mentioned, can you provide also a screenshot of the Service item you created "AD_389"

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data