Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 749 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't connect back to my network from XG125 on Comcast

Bill_H

I set up my new XG125 behind a Comcast Cable modem to manage a small development network (2 web servers, 2 dbms servers, 4 internal IP addresses, 3 PCs, and a bunch of TV and devices via a connected WAP).  Everything goes through a network switch to the LAN1 port on the XG.  We have a bunch of DNS settings with Network Solutions that send various sub-domains around to various networks, including this development network.

Everything seems to work fine accessing this development network (http/https, custom ports, etc) from the outside.  From inside the network, our PCs connect to ExpressVPN.  When we request a login page from our web server, using our defined DNS "">http://login.mydomain.com" the response is as expected (we get the login page).  However, when we quit ExpressVPN, which puts us back on the Comcast network (the same IP as the XG's WAN interface IP), then try to access our web resources from inside, we cannot access the above login page.  The browser times out with a DNS error.  Making any other http/https request to our network fails too.  Turn ExpressVPN back on and all is well again.

What have I failed to configure?  Thanks,



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FormerMember

    So I ran the diagnostics and noticed something odd.  My goal was to give everybody in the network access to anything outside the network including resources in the network.  When I try to connect I get...

    <pre>Port1 / Port1 / IPv4 / 192.168.100.54 / 192.168.100/13 / TCP / 51813,80 / 3 / 0 / Violation / Firewall </pre>

    ...which tells me there is a violation of NAT ID #3.  When I edit the NAT Rule the Translation Settings I see...

    Rule Name - DNAT to My Web Server_xxxxx, Original source - Any, Original destination - #Port2, Original service - HTTP/HTTPS/SFTP, Translated source (SNAT) - Original, Translated destination (DNAT) - My Web Server, Translated service (PAT) - Original.

    The Interface matching criteria shows...

    Inbound interface - Any, Outbound interface - Any

    I would have posted some pictures but couldn't figure out how to.  Sigh...

  • 0 in reply to FormerMember

    I looked on the internet and found this document...

         https://support.sophos.com/support/s/article/KB-000038769?language=en_US

    I tried both solutions but seem to be missing something because neither worked.  So frustrating.  Sigh...

  • 0 in reply to Bill_H

    So, it looked like there were two different possible solutions; 1) create a firewall rule from the internal network to the WAN port or 2) add the LAN to the DNAT rules (source zone) accessing each server.

    I choose the first option because it was the one the Sophos technician created that actually worked after the firewall crashed.  It did so when our Comcast service temporarily went down and detached the Comcast cable modem from the Comcast network for several hours until I rebooted the modem.  In order to get the Sophos working again I had to restore the backup I took after we accomplished #1 above.  The settings after we did #2 above didn't work after the modem reboot.

    The rule was basically called "Internal LAN Loopback" where the Source was "Any (zone) / 192.168.1.0 (network) / All the time (during)" and the Destination was "LAN (zone) / #Port2 (network) / Any (services)".  This became the top rule.

    I have no idea why such a simple solution wasn't noted in any of the help, or at least it wasn't easily found by the likes of me.