Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1711 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - access one internal network to another

GernotMeyer

Hi,

we are using XG Virtual (4/6) SFOS 18.04 MR4.

So we have a Mail Server that is accesseable via Internet (IMAP and SMTP and Web). All fine.

Now we have a new internal network coming through the same "WAN leg" (WAN has multiple IPs!).

From this network, I am not able to access the IMAP port of Mail server.

Web is fine, ping works but no IMAP/SMTP (DNAT).

Zone MAIL: IMAP Server 192.168.0.2 GW 192.168.0.1 (Sophos), External 1.2.3.4 (Alias)

Zone User: Terminalserver Server 192.168.1.2 GW 192.168.1.1 (Sophos), External 1.2.3.5

Both networks are SNATted.

Is that "reflexive" NAT (which I then need to start to unterstand ;-)?

Any help on this?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to GernotMeyer

    This will still not work if I understand your network I think you still have misconfiguration...

    You have for example WAN IP:

    246.222.141.200/27(Port8:0) USER ZONE

    246.222.141.199/32(Port8:1) MAIL ZONE

    So

    246.222.141.200/27 USER ZONE:

    HostMin:   246.222.141.193
    HostMax:   246.222.141.222

    246.222.141.199/32 MAIL ZONE:

    HostMin:   246.222.141.199
    HostMax:   246.222.141.199

    So USER ZONE think that IP from MAIL ZONE is in same network.

    Did you try setup also 246.222.141.200/32 ? With both on /32 they will look on router for routes to know where they must reply...

    If you use domain to connect to 246.222.141.200 you can also maybe solve connection and routing issue if you make static DNS host entry which show to internal IP of mail server like this:

    And then make some local firewall rule and NAT rule to connect locally...

    In your case I will first try both WAN IP set to /32(255.255.255.255) and check logs/packets what happen...

  • 0 in reply to Dejan Bukovec

    OK. I try again:

    Mail Zone: 10.11.28.8/29, Sophos .9,Mailserver .10 external IP (DNAT Rule) .199

    Terminalserver Zone: 10.11.29.1/29, Sophos .1,Terminalserver .10 external IP (SNAT Rule) .195

    Because System is productive: I can make these changes the next evening and set Alias IPs to /32 then.

    After that I come back to you.

    What I do not understand: The Web Connection (from Termnalserver to Mailserver is fine. Also SMTP.

    "Only" DNAT is in trouble.

  • 0 in reply to GernotMeyer

    Hi,

    I changed Alias WAN IPs to /32. Still works as before;-)

    But nothing becomes better with my DNAT Rules.

    WAF is working, DNAT rules not (from same server).

    I also changed DNAT Rule for to both internal Networks to use IP (.199).

  • 0 in reply to GernotMeyer

    I also created Routing-Rules to go directly from one network to the other. That works! So I get it running without accessing the external interface.