Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 7409 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it me or the NAT creation page design is just broken?

MassimoForni

How do you create a NAT for the same port with TCP AND UDP? Don't tell me I need to create 2 separate rules...

How about something not TCP nor UDP? Like ICMP ...

In the service zone of the NAT rule I must type the port numbers... Why can't I use the same service definitions I created for the firewall rules?

 

Did a 19 year old trainee designed this page? Come on we are not talking about a free firewall solution (which I must add something free like PFSense is far better than XG in the firewall/nat/interfaces handling)



This thread was automatically locked due to age.
  • 0 in reply to MassimoForni

    The source is the external any as per your rule. I wasn't sure what the 5:0 was, you are correct you would not add that to matched addresses. that would be your outbound (the XG developers haven't quite grasped the fact that there is incoming traffic) address.

    You can try with your specific zone, but experience so far is that don't always work the way you expect them to. There are a number of feature requests/bugs about about the workings of some local user created identities. One notable failure is country blocking, it only works on all.

    I will try again during the v17 beta to see what happens.

  • 0

    You can't make a single dNAT rule forwarding both UDP and TCP port (like53)
    Also, a single rule  can only forward TCP ,  UDP or a 1:1 mapping.  This last option translates alincoming protocols to internal address.

     

    What's the use case of forwarding ICMP? I've never seen it used

  • 0 in reply to MassimoForni

    HI MassimoForni ,

    The behaviour is derived from Cyberoam , the Ports you could DNAT is either TCP and UDP . As ICMP does not include either of these two protocols. You may need to consider Everything  to allow ICMP to be forwarded.

    Also the ICMP packet is used for Ping Purpose and check Connectivity. You may Forward the Necessary ports required you need to communicate with the Server etc. and Enable Ping on Appliance Access so the XG would reply instead of your server.  If you wish to use Ping to check the server connectivity directly you may use the tcp protocol to test your connection via Telnet

    For Windows NT/2000/XP:

    1. Click Start, and then click Run.
    2. Type telnet and click OK.
      For example: telnet pca.mydomain.com 5631

    For Windows 9x/Me:

    1. Click Start, and then click Run.
    2. Type telnet and click OK.
    3. Click Connect, then click Remote System.
    4. Enter the hostname/IP and port number in the appropriate fields.
    5. Click Connect
    • If you see a blank screen with a flashing cursor, which may or may not populate with data over a period of time, you are attached to a TCP port.
    • If you see "Connection timed out", "Connection reset by host", "Could not open connection", or "Connection failed", either there is some sort of packet filtering between the two computers or the service is not currently waiting on the specified port.
    • If you want to test a TCP service on your local computer, use the IP address 127.0.0.1. This is the reserved "local host" address.

    To enable Telnet on Windows Vista and Windows 7 computers, do the following:

    1. Open control panel.
    2. Then go into programs.
    3. Then in programs and features there should be a part that says ‘turn windows features on or off ‘ .
    4. Click ‘turn windows features on or off ‘ then on the list that appears simply check the box beside: Telnet Client.
    5. Then click ok.

    You may also use to refer the link as below

    https://technet.microsoft.com/itpro/powershell/windows/tcpip/test-netconnection

  • 0 in reply to Aditya Patel

    ICMP was only an example, but what about GRE?

  • 0 in reply to MassimoForni

    Indeed, you can't forward GRE protocol.  And that really is something I'd miss to, I'm using it at home for some GRE-IPSEC tunnels

    Do a feature request.