As a quick background, I have been working with firewalls for about 15 years (Cisco PIX, Cisco ASA, and recently SonicWall TZ and NSa). I have been working on and off with Sophos XGs for about 2 years now so I am familiar with them but they are definitely not my comfort zone.
That said, I am working with a host in a DMZ zone. I have a NAT rule built for a public IP to translate to the DMZ host. I have a WAN-to-DMZ access rule that allows tcp/443 to the DMZ host from any outside source. Boom - that works as expected.
Next, my DMZ host is configured to point to two DNS servers on my internal LAN segment. I need the DMZ host to be able to resolve some internal systems by name so the DMZ host needs to point to internal servers and not external ones. I have two DMZ-to-LAN access rules so far. The first one is a DMZ-to-LAN any-to-any for ICMP. With that in place, my DMZ host can ping my two internal DNS servers by IP. My second rule is a DMZ-to-LAN rule that allows my DMZ host to my two internal DNS servers (configured as a group) for the built-in DNS service (tcp/udp 53). Unfortunately, this is where I am breaking down. Whenever I try to resolve something by name from my DMZ host, the DNS resolution fails.
What am I missing to make this work? Would I need a second translate rule between the DMZ and the LAN? Since I was able to ping from DMZ to LAN, I figured I would not need to do a second translation between DMZ and LAN but maybe that's where I am going wrong. I also did not configure any explicit access from LAN to DMZ for DNS figuring that the Sophos would be stateful and would automatically handle the return traffic from the initial DMZ-to-LAN DNS request.
Any advice would be appreciated - TIA!
This thread was automatically locked due to age.
