How to enable SNMP via WAN on Sophos XG v19.5

Hi sneader,

Thank you for reaching out to Sophos Community.

I've found an old post from you with the same queries and a solution. 

community.sophos.com/.../snmp-on-wan-not-working

Hi sneader,

Thank you for reaching out to Sophos Community.

I've found an old post from you with the same queries and a solution. 

community.sophos.com/.../snmp-on-wan-not-working

Unfortunately, after upgrading to v19.5, this stopped working, which is why I am here asking how to make it work again.  As you know, the instructions in that 3 year old post can't be used as-is, since now you must create both a firewall rule and a NAT rule.  The upgrade conversion process seemed to create both rules OK, however it simply does not work.  I will take any assistance, ideas, etc., that you might have.

I did a packet capture, first looking for incoming packets from the remote server trying to query the Sophos on the alternate port (6161), and the packets are received OK and accepted.  So, the firewall rule seems OK.  Next, I need to see what is happening with the NAT rule, which is supposed to translate the alternate port UDP 6161, to the real SNMP UDP port of 161, and translate the destination IP from the WAN port, to the LAN port IP.  I did a packet capture looking for the translated port (161) and it appears that the Sophos is blocking the packets. Port1 is LAN, Port3 is WAN.

I created a new Firewall rule that will Allow ANY for Source and Destination, with both the standard SNMP Service (UDP 161:162) as well as my Alternate SNMP port (UDB 6161) and still, the packet capture is the same.... the Sophos is DENYING access to the LAN port on UDP 161, if the packet comes from the WAN port.

I am out of ideas.  How would you configure Sophos v19.5 to take an incoming WAN UDP packet on port 6161, and point it to the Sophos for SNMP on the standard SNMP port?  (LAN or WAN?)

Any ideas on how to make SNMP work on the WAN?

Hi sneader,

I'll check this one with our internal team and update you

Thanks for your help, Erick! I will wait to see what you find out.  

Hello Sneader,

Adding to what Erick has mentioned, would you be able to delete and redo the DNAT rule using the Sophos Assistant "DNAT and Firewall Rules for internal web server." If the issue persists and you are ok enabling Access ID to your device let me know and I can take a look.

Are you a home user or a Business user? 

Regards,

Hi Emmanuel.  I attempted to use "Server access assistant (DNAT)" but without success.  Right now, here is what I have in the Sophos

Firewall rule:  
   Source Zone:  WAN
   Source Networks and Devices:  A specific IP on the public Internet
   Destination Zones:  Any
   Destination networks:  #PORT3 (this is my WAN port, with public IP)
   Services:  SNMP UDP 6161

NAT Rules:
   Original Source:  Any
   Original Destination:  #PORT3 (this is my WAN port, with public IP)
   Original Service:  SNMP UDP 6161
   Translated source (SNAT):  Original
   Translated destination (DNAT): LAN Port IP
   Translated service (PAT):  SNMP UDB 161
   Inbound Interface:  Port3
   Outbound Interface:  Any

I am attempting to accept UDP 6161 packets from a specific external IP, and translate it to UDP 161, and send the traffic to the Sophos, so that it can receive and respond to SNMP packets.  How can we make this work, like it did in version 17?

I am a home user. I would be happy to allow your access if you tell me how.  But I would prefer that you let me try to fix it, with your advice. I just need to know how the Sophos could be accessed for SNMP, on an alternate port number.  Thanks!

- Scott

Hi Scott,

For the access ID you can see below for reference:

docs.sophos.com/.../SupportAccess.html

Thanks for the clear instructions, Erick. I have enabled the access and sent you a PM with the details.