Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 10394 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT based on source port

FrankBarmentlo

Hello, 

 

On my old UTM 9 I had a NAT rule:

Source IP: Any

source port: 17478

protocol: udp

Destination Port: 1024-65535

Destination IP: Sophos WAN

Forward to: Internal Server on IP 192.168.x.9

 

It's a certain application which works.. strange.

 

Session is initiated by a client to the server which I want to run.

The client does this by contacting the server on port 17478 with a random source port.

The server then opens a session with the client, also with destination port 17478 which the client uses to communicate.

 

At this moment opening the session outbound to the client works.. but the replies from the client are being blocked by my XG

How would I create such a forward to allow this traffic though the Sophos XG? Is it possible?

Kind regards,

Frank



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FrankBarmentlo

    I am back.. IT still did not have the desired results..

     

    As soon as I turn on the creation of Reflexive Rules, EVERYTHING goes through those reflexive rules and somehow gets dropped.

    This includes Web Requests, DNS, and all Outbound traffic..

    I tried to move these rules below the rules that handle all the traffic, include a "LAN > Any > Any = Drop"-rule, yet I still see entries in the log:

    This shows traffic to the XG Webadmin + UserPortal. Both pages never load though, as if the traffic is dropped.

    The same happens while opening google, or any webpage. Teamviewer on this machine can't connect either.

     

    This is rule ID 45:

    As soon as I turn off "create reflexive rule" everything works like normal, and the traffic gets handled by the right rules / policies

  • 0 in reply to FrankBarmentlo

    Which side initiates this secondary connection?

    If it's the server inside the XG network,  just add add a user/network rule  , allowing this server to open udp connections to UDP destination port 17478 

  • 0 in reply to sixteen again

    I have a problems with nats not working on my network and may have to put my old sonicwall backup.

     

    the is a router inside my XG Network

     

    The hosting facility has a guy manages router 10.141.12.83 and 10.141.12.84 , the IP 10.141.12.86 is the virtual IP used in HSRP, I guess that all your traffic leaving the site points to that IP address. 

     

    I have a static policy route using 10.141.12.86 as the gateway...is it really this easy?  just add add a user/network rule  , allowing this server to open udp connections to UDP destination port 17478 

  • 0 in reply to B.R.O.

    Bro,

    I would advice you to open a new thread as this one is already answered. Make to upload a network diagram otherwise we are not able to help you.

    Regards