Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 1471 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using public IP addresses to RDP into internal servers from the internal network

Jeff Soper

I'm in a bind and really need help with this configuration.

I have a client that is replacing a Meraki router with a XGS126 on SFOS 18.5.2 MR-2-Build380.

In the Meraki router they had 1:many NAT port forwarding rules that said for 162.x.x.x public IP, forward these ports (rdp, http, https, etc) to this internal 10.x.x.x address.

Before everyone goes off about opening up the RDP port to external sources, I'm aware of the security risk and we will change that soon. I had the same huff, but this is what the client wants for now and they are aware of the risk.

This allows them to use the public IP to RDP into the internal servers from outside and inside the network. Important to note, external and Internal RDP using 162.x.x.x

In the XGS126 I set up DNAT rules that also created DNAT reflexive, DNAT loopback, and DNAT firewall settings. The rule works from External Networks, but will not work from the internal network. If you use the policy tester, the ports and connection is allowed from an internal IP to the public IP with 3389 as the port.

I've created firewall rules for LAN,any host, any service to LAN,any host, any service. And many other versions that should make logical sense. I'm really at a loss and need some help understanding the rule set that's needed to make this work.

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jeff Soper

    Please check by creating LAN to LAN firewall rule.

    You may refer the below snapshot 

    This might help

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    I do have this rule and it's near the bottom of the list. When you do a policy test for 162.x.x.x:3389 from 10.x.x.x it's the policy that allows it. Still the rdp client won't work.

  • 0 in reply to Jeff Soper

    Hi Jeff 

    Please keep the rule on TOP and share the logs on below command : 

    Check the following from CLI 

    console>ping <ip address of the system>

    console>telnet <ip address of the system> 3389

    console>drop-packet-capture 'host < destination IP address> and port 3389

    Check packet flow with packet capture,please navigate to MONITOR & ANALYZE-->Daignostics -->Packet Capture Click on Configure and add the wan IP and port as show below and share the logs with us

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    With the LAN:ANY to LAN:ANY rule as the #1 rule; I tried to run the console commands with the 162.x.x.x address as the host and there was no communication. ping didn't resolve, telnet said that there was no route. The packet capture resulted in zero entries. I did the same for the internal, 10.x.x.x address and the packet capture log was showing the traffic for port 3389 after running the console command. Are there any DNS routes that I need to create on the firewall to push the 162.x.x.x address to the internal address? I thought that's what the NAT rules were doing.

Reply
  • 0 in reply to Bharat J

    With the LAN:ANY to LAN:ANY rule as the #1 rule; I tried to run the console commands with the 162.x.x.x address as the host and there was no communication. ping didn't resolve, telnet said that there was no route. The packet capture resulted in zero entries. I did the same for the internal, 10.x.x.x address and the packet capture log was showing the traffic for port 3389 after running the console command. Are there any DNS routes that I need to create on the firewall to push the 162.x.x.x address to the internal address? I thought that's what the NAT rules were doing.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?