Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 1469 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using public IP addresses to RDP into internal servers from the internal network

Jeff Soper

I'm in a bind and really need help with this configuration.

I have a client that is replacing a Meraki router with a XGS126 on SFOS 18.5.2 MR-2-Build380.

In the Meraki router they had 1:many NAT port forwarding rules that said for 162.x.x.x public IP, forward these ports (rdp, http, https, etc) to this internal 10.x.x.x address.

Before everyone goes off about opening up the RDP port to external sources, I'm aware of the security risk and we will change that soon. I had the same huff, but this is what the client wants for now and they are aware of the risk.

This allows them to use the public IP to RDP into the internal servers from outside and inside the network. Important to note, external and Internal RDP using 162.x.x.x

In the XGS126 I set up DNAT rules that also created DNAT reflexive, DNAT loopback, and DNAT firewall settings. The rule works from External Networks, but will not work from the internal network. If you use the policy tester, the ports and connection is allowed from an internal IP to the public IP with 3389 as the port.

I've created firewall rules for LAN,any host, any service to LAN,any host, any service. And many other versions that should make logical sense. I'm really at a loss and need some help understanding the rule set that's needed to make this work.

Thanks in advance.



This thread was automatically locked due to age.
  • 0

    Hi Jeff Soper

    Please check by creating LAN to LAN firewall rule.

    You may refer the below snapshot 

    This might help

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Assumption, your lan to lan rule is at the top or close to the top of your rule list?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    I do have this rule and it's near the bottom of the list. When you do a policy test for 162.x.x.x:3389 from 10.x.x.x it's the policy that allows it. Still the rdp client won't work.

  • 0 in reply to Jeff Soper

    Hi Jeff 

    Please keep the rule on TOP and share the logs on below command : 

    Check the following from CLI 

    console>ping <ip address of the system>

    console>telnet <ip address of the system> 3389

    console>drop-packet-capture 'host < destination IP address> and port 3389

    Check packet flow with packet capture,please navigate to MONITOR & ANALYZE-->Daignostics -->Packet Capture Click on Configure and add the wan IP and port as show below and share the logs with us

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    With the LAN:ANY to LAN:ANY rule as the #1 rule; I tried to run the console commands with the 162.x.x.x address as the host and there was no communication. ping didn't resolve, telnet said that there was no route. The packet capture resulted in zero entries. I did the same for the internal, 10.x.x.x address and the packet capture log was showing the traffic for port 3389 after running the console command. Are there any DNS routes that I need to create on the firewall to push the 162.x.x.x address to the internal address? I thought that's what the NAT rules were doing.

  • 0 in reply to Bharat J

    Hi Jeff Soper

    If you are not getting ping for local system on LAN means system is not reachable through Sophos firewall,if ping works and telnet to port 3389 does not means port is closed from System end.

    Please share the logs to assist you further.

    console>ping <ip address of the local system>

    console>telnet <ip address of the local system> 3389

    console>drop-packet-capture 'host < destination IP address> and port 3389

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi,

    You don't need LAN-LAN rule.

    Just make the DNAT rule with the wizard or make similar rules.

    Then open the Firewall rule and change Source [WAN] to [ANY] or add [LAN], make sure the NAT rule has Source masquerading on, or change sources on the Loopback rule.

    That's it.

    Bart van der Horst

    Sophos XG v18(.5) / v19 Certified Architect
    https://www.bpaz.nl

  • 0 in reply to Bart van der Horst

    I did changed the Firewall rule from WAN to ANY. Just to be clear, the NAT rule your referencing is the loopback rule? This has the masq on as the translated source which is ANY. Should I turn off or delete the LAN-LAN rule?

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?