Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 13164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Business Application Rule - must select an IP Range for Protected Server(s) / dnat ntp

CyberA

I'm having trouble setting an IP range for an internal DNAT rule to redirect NTP (UDP/123) traffic destined for the WAN to an internal server in LAN. A single IP entry works but I want the rule to catch <ANY> destination IP heading to the WAN interface and redirect (with masquerading) to the inside. When I try to define a range in the "Destination Host/Network" section, the wizard complains that I "must select an IP Range for Protected Server(s)". I found this thread https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80501/how-to-replicate-utm-rule-to-redirect-dns-ntp-to-internal-server where another user was trying to accomplish the same. However even trying those settings using my port GW address as destination, I'm not seeing the traffic being redirected with tcpdump. Is it possible with version 16.01.2 or is this a known bug? I think a "ANY" option for destination would work perfectly but its missing and I also tried 0.0.0.0 like the other poster but UI prevented me. Thanks for any inputs.



This thread was automatically locked due to age.
Parents
  • 0

    Billybob you are spot-on with what I'm trying to do.

    In XG, there is no built in definition for ANY or INTERNET (0.0.0.0) so you have to define an IP range that will cover all IPs like 0.0.0.1 to 255.255.255.254. But when you do that, XG says you can't forward traffic for range of IPs to a single host.

    It's strange really! This is the error when I try to enter a range for the "Destination Host /Network" field:

    Been pulling my hair out trying to figure this out, saw @EmileBelcourt post last night an hour before I posted my message and tried the steps which failed for me.

    The good news is support responded to my ticket but .. they gave me instructions for SNAT UDP 123 on WAN. I've updated the ticket and awaiting reply.

    I really hope this is just some bug, every time I hit some limitation in XG, which should be trivial, I learn it was cake in UTM9. *scratches head* I wonder why Sophos didn't keep building on that...

Reply
  • 0

    Billybob you are spot-on with what I'm trying to do.

    In XG, there is no built in definition for ANY or INTERNET (0.0.0.0) so you have to define an IP range that will cover all IPs like 0.0.0.1 to 255.255.255.254. But when you do that, XG says you can't forward traffic for range of IPs to a single host.

    It's strange really! This is the error when I try to enter a range for the "Destination Host /Network" field:

    Been pulling my hair out trying to figure this out, saw @EmileBelcourt post last night an hour before I posted my message and tried the steps which failed for me.

    The good news is support responded to my ticket but .. they gave me instructions for SNAT UDP 123 on WAN. I've updated the ticket and awaiting reply.

    I really hope this is just some bug, every time I hit some limitation in XG, which should be trivial, I learn it was cake in UTM9. *scratches head* I wonder why Sophos didn't keep building on that...

Children
  • 0 in reply to CyberA

    CyberA said:

     

    I really hope this is just some bug, every time I hit some limitation in XG, which should be trivial, I learn it was cake in UTM9. *scratches head* I wonder why Sophos didn't keep building on that...

     

    Don't get me started [:D]... I have written volumes on the subject. Keep us posted, hopefully support will have a more elegant solution.