Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1034 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Maintaining incoming IP address when routing traffic

Project2501

Hi,

I'm a bit of a novice when it comes to networking and I'm slowly getting to grips with it so please bear with me.

What I have at the moment is this:

The IP's aren't real (clearly) but it's the basic gist.

The problem I have is that both the SFTP and Webserver see traffic coming from the XG's LAN interface, and what I'm trying to achieve is having the XG send traffic through maintaining the original source IP from the outside world

i.e. user 1 on 80.70.60.50 and user 2 on 50.60.70.80 should have the traffic on each respective services server appear as such, rather than the XG's "192.168.5.5" LAN IP.

The NAT rules I've got in place at the moment -do- work, so traffic is getting to the right place, I'm just not clear on what I need to adjust (assuming such a thing is even possible?) to get to where I want to be.

My thanks in advance for any pointers in the right direction.



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to emmosophos

    Hi,


    Apologies for the delay in responding, I've been on annual leave.

    I did try that, however traffic fails to reach any destination. I can only get traffic through the firewall to the destination servers if the "Translated source (SNAT)" is set to an entry that matches the XG's LAN address.

    If it's set to anything else, the traffic appears to disappear into a black hole somewhere.

    Any thoughts?

    Regards,

Children
  • 0 in reply to Project2501

    Hello,

    Most likely your Local Firewall is dropping the connection, usually, the Windows Firewall will only reply to packets coming from their same subnet, and not from others.

    You can install Wireshark on the end devices with the issue most likely you’ll see they see the Real Public IP, but they’re not replying to it.

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,


    We've built with that in mind already; every server we have behind the firewall & RDS gateways is already in different subnets as they're all on distinct VNet's.

    It works as I want it to if I take the firewall out of the setup, which makes me think it's something in the firewall setup that's not quite right.

    Regards,

  • 0 in reply to Project2501

    Hello there,

    Then please open a Case with support to have this investigated and feel free to share the Case ID with me so I can follow up.

    Regards,

  • 0 in reply to emmosophos

    Hello,

    @emmosophos:  I think he got you wrong.

    @Project2501 It is not the subnets on your private VLANs which are meant here. You have to allow packets coming from your public IP into your "server2" and "server2" machines at those systems local firewalls as well. It is the public subnet he was thinking of.

    Or, just for testing purposes, try to deactivate the local firewalls on the servers and test again.

  • +1 in reply to jprusch

    Hi,

    We found the problem!

    The issue was with the LAN NIC on the XG, there was security controls in place and rules for internal traffic, what we had missed of course was that with original source IP in place, that rule was then blocking the traffic from the LAN NIC to the rest of the internal networking!

    Thanks everyone for your assistance though, it did ultimately help steer the diagnostics.