Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 26 subscribers
  • Views 569 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question regarding the operation of firewall rules on an IPsec connection

Paweł Buda

I have a question about creating firewall rules for site-to-site VPN connections, namely, we created a site-to-site VPN connection with the client, the connection itself has NAT for our two local networks, we created an additional rule that should pass the traffic that is sent from us on the client's side, but yes does not happen in the logs there is no information about even an attempt to make any traffic, the rule looks like this

PPL are client-side hosts



This thread was automatically locked due to age.
  • 0

    Hi Paweł Buda

    Please create a Test firewall rule to troubleshoot the issue, you may create LAN-VPN and VPN-LAN firewall rules. Keep rule position on TOP and rule group none.

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hello

    I created the rules and moved them to the top and I see an improvement because telnet connects to a specific port with a given host,

    but when the page is loaded, unfortunately I have such a message

  • 0 in reply to Paweł Buda

    Hi Paweł Buda

    Please check the traffic flow with the help of packet capture. As per the shared snapshot server is down at the remote location? what Ping says ?

    Please go to MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on Configure and add host <destination IP>  start the packet capture and access the server 

    Share the packet you have took from GUI

    From CLI check the tcpdump as well drop packet 

    console>tcpdump 'host <destination IP> and port <no.>

    console>drop-packet-capture 'host 'host <destination IP>

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi

    What i was able to get from tcpdump

    14:31:51.295509 ifb0, OUT: IP 10.0.88.10.52508 > 10.10.32.2.443: Flags [S], seq 2278477, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:51.295512 PortA8, OUT: IP 10.0.88.10.52508 > 10.10.32.2.443: Flags [S], seq 2278477, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:52.667510 ifb0, OUT: IP 10.0.88.10.52502 > 10.10.32.2.443: Flags [S], seq 1148646670, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:52.667513 PortA8, OUT: IP 10.0.88.10.52502 > 10.10.32.2.443: Flags [S], seq 1148646670, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:53.147508 ifb0, OUT: IP 10.0.88.10.52472 > 10.10.32.2.443: Flags [S], seq 996726618, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:53.147512 ifb0, OUT: IP 10.0.88.10.52470 > 10.10.32.2.443: Flags [S], seq 1144424301, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:53.147513 PortA8, OUT: IP 10.0.88.10.52472 > 10.10.32.2.443: Flags [S], seq 996726618, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:53.147515 PortA8, OUT: IP 10.0.88.10.52470 > 10.10.32.2.443: Flags [S], seq 1144424301, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:53.307485 ifb0, OUT: IP 10.0.88.10.52508 > 10.10.32.2.443: Flags [S], seq 2278477, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:53.307488 PortA8, OUT: IP 10.0.88.10.52508 > 10.10.32.2.443: Flags [S], seq 2278477, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:55.254649 PortA1, IN: IP 192.168.99.220.58472 > 10.10.32.2.80: Flags [F.], seq 1, ack 2, win 513, length 0
    14:31:56.731452 ifb0, OUT: IP 10.0.88.10.52502 > 10.10.32.2.443: Flags [S], seq 1148646670, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:56.731454 PortA8, OUT: IP 10.0.88.10.52502 > 10.10.32.2.443: Flags [S], seq 1148646670, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:57.503446 ifb0, OUT: IP 10.0.88.10.52508 > 10.10.32.2.443: Flags [S], seq 2278477, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:31:57.503449 PortA8, OUT: IP 10.0.88.10.52508 > 10.10.32.2.443: Flags [S], seq 2278477, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:01.339416 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58615: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:01.339420 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58615: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:01.339429 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58614: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:01.339432 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58614: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:01.341220 PortA1, IN: IP 192.168.99.220.58632 > 10.10.32.2.443: Flags [SEW], seq 2667754256, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    14:32:01.341299 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58632: Flags [S.], seq 2581913953, ack 2667754257, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:01.341360 PortA1, IN: IP 192.168.99.220.58633 > 10.10.32.2.443: Flags [SEW], seq 340119312, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    14:32:01.341409 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58633: Flags [S.], seq 1433837456, ack 340119313, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:01.341871 PortA1, IN: IP 192.168.99.220.58632 > 10.10.32.2.443: Flags [.], ack 1, win 513, length 0
    14:32:01.341919 PortA1, IN: IP 192.168.99.220.58633 > 10.10.32.2.443: Flags [.], ack 1, win 513, length 0
    14:32:01.342197 PortA1, IN: IP 192.168.99.220.58633 > 10.10.32.2.443: Flags [P.], seq 1:518, ack 1, win 513, length 517
    14:32:01.342208 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58633: Flags [.], ack 518, win 237, length 0
    14:32:01.342500 PortA1, IN: IP 192.168.99.220.58632 > 10.10.32.2.443: Flags [P.], seq 1:518, ack 1, win 513, length 517
    14:32:01.342514 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58632: Flags [.], ack 518, win 237, length 0
    14:32:01.342796 ifb0, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:01.342799 PortA8, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:01.342914 ifb0, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:01.342917 PortA8, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:02.363480 ifb0, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:02.363483 PortA8, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:02.363598 ifb0, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:02.363602 PortA8, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:04.379481 ifb0, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:04.379484 ifb0, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:04.379485 PortA8, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:04.379487 PortA8, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:04.854196 PortA1, IN: IP 192.168.99.220.58472 > 10.10.32.2.80: Flags [R.], seq 2, ack 2, win 0, length 0
    14:32:04.923422 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58620: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:04.923425 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58620: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:04.924541 PortA1, IN: IP 192.168.99.220.58637 > 10.10.32.2.443: Flags [SEW], seq 4277904588, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    14:32:04.924670 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58637: Flags [S.], seq 3986528289, ack 4277904589, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:04.925202 PortA1, IN: IP 192.168.99.220.58637 > 10.10.32.2.443: Flags [.], ack 1, win 513, length 0
    14:32:04.925664 PortA1, IN: IP 192.168.99.220.58637 > 10.10.32.2.443: Flags [P.], seq 1:518, ack 1, win 513, length 517
    14:32:04.925678 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58637: Flags [.], ack 518, win 237, length 0
    14:32:04.926200 ifb0, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:04.926202 PortA8, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:05.695410 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58622: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:05.695413 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58622: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:05.696088 PortA1, IN: IP 192.168.99.220.58640 > 10.10.32.2.443: Flags [SEW], seq 4253405224, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    14:32:05.696167 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58640: Flags [S.], seq 1547628753, ack 4253405225, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:05.696534 PortA1, IN: IP 192.168.99.220.58640 > 10.10.32.2.443: Flags [.], ack 1, win 513, length 0
    14:32:05.696896 PortA1, IN: IP 192.168.99.220.58640 > 10.10.32.2.443: Flags [P.], seq 1:518, ack 1, win 513, length 517
    14:32:05.696906 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58640: Flags [.], ack 518, win 237, length 0
    14:32:05.697260 ifb0, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:05.697263 PortA8, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:05.947599 ifb0, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:05.947602 PortA8, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:06.719498 ifb0, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:06.719502 PortA8, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:07.963467 ifb0, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:07.963470 PortA8, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:08.507463 ifb0, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:08.507465 PortA8, OUT: IP 10.0.88.10.52748 > 10.10.32.2.443: Flags [S], seq 569866451, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:08.507492 ifb0, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:08.507494 PortA8, OUT: IP 10.0.88.10.52750 > 10.10.32.2.443: Flags [S], seq 2132815956, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:08.731477 ifb0, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:08.731479 PortA8, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:12.091472 ifb0, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:12.091475 PortA8, OUT: IP 10.0.88.10.52856 > 10.10.32.2.443: Flags [S], seq 116101088, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:12.859510 ifb0, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:12.859513 PortA8, OUT: IP 10.0.88.10.52882 > 10.10.32.2.443: Flags [S], seq 881351462, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0
    14:32:16.699426 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58633: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:16.699430 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58633: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:16.699446 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58632: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:16.699448 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58632: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:20.283442 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58637: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:20.283446 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58637: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:21.051425 ifb0, OUT: IP 10.10.32.2.443 > 192.168.99.220.58640: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:21.051428 PortA1, OUT: IP 10.10.32.2.443 > 192.168.99.220.58640: Flags [R.], seq 1, ack 518, win 237, length 0
    14:32:30.953724 PortA1, IN: IP 192.168.99.220.58616 > 10.10.32.2.80: Flags [.], seq 0:1, ack 1, win 513, length 1: HTTP
    14:32:30.953743 PortA1, OUT: IP 10.10.32.2.80 > 192.168.99.220.58616: Flags [.], ack 1, win 229, options [nop,nop,sack 1 {0:1}], length 0
    14:32:47.227676 PortA1, OUT: IP 10.10.32.2.80 > 192.168.99.220.58616: Flags [F.], seq 1, ack 1, win 229, length 0
    14:32:47.228507 PortA1, IN: IP 192.168.99.220.58616 > 10.10.32.2.80: Flags [.], ack 2, win 513, length 0

  • 0 in reply to Paweł Buda

    Hi Paweł Buda

    As per the logs traffic is not passing from IPSec VPN 

    Please configure the tunnel status. May I know what is PortA8 ?

    Thanks

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hello

    The connection status is the same as connected

    the public address of our gateway is set under port 8

  • 0 in reply to Paweł Buda

    Hi Paweł Buda

    Please check the traffic flow under packet capture too from GUI 

    Please to go MONITOR & ANALYZE-->Diagnostics-->Packet Capture and click on Configured and add "host  10.10.32.2" and start the packet capture

    Please share output for below command 

    system route_precedence show

    Thanks 

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    screen shoot with packet capture

  • 0 in reply to Paweł Buda

    Hi Paweł Buda

    Traffic is passing from rule id 18 ! instead of rule id 268 you have configured 

    Please open CLI of the firewall and go to option 4 

    console>system route_precedence show

    Please go to Configure --->VPN-->IPSec  share the Connection type configured on IPSec VPN ?

    Thanks 

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    I don't know if I understood correctly but the connection type is site to site

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?