This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT not working, packet status: Violation Local_ACL

Hi, I've made a DNAT to forward some ports to a server behind the Sophos XG, but it doesn't seem to be working, and I can't seem to understand why.

I'm a bit new at this, so I have no clue what could cause this, so I was hoping with some help understanding what causes this.

Some info:

The network is composed by my ISP router (192.168.1.1) forwarding ports to the Sophos machine (192.168.1.254) and the rest of the network is behind it (10.*). I've already tested the port forwarding on the ISP router and works fine.

The Rule (I've also tried with MASQ off)


 

Line from Packet Capture:

And this is a sample packet information I've captured of a packet that got blocked:

Ethernet Header
Source MAC Address:64:59:f8:49:af:50
Destination MAC Address: 00:0c:29:1a:03:89
Ethernet Type IPv4 (0x800)
 
IPv4 Header
Source IP Address:173.236.246.209
Destination IP Address:192.168.1.254
Protocol: TCP
Header:20 Bytes
Type of Service: 0
Total Length: 52 Bytes
Identification:39834
Fragment Offset:16384
Time to Live: 49
Checksum: 18117
 
TCP Header:
Source Port: 36742
Destination Port: 25565
Flags: SYN
Sequence Number: 1577553627
Acknowledgement Number: 0
Window: 29200
Checksum: 46429

 



This thread was automatically locked due to age.
Parents
  • TheBard,

    uncheck the "rewrite source address" and try again.

    Regards

  • I already tested that, I tried again to be sure, but no luck.  Same result.

    Also the firewall logs are empty.

     

  • TheBard,

    issue a tcpdump "port xxx" from console and post the result.

    Thanks

  • Had to figure out how to access the console, but it was easier than expected:

    console> tcpdump "port 25565"
    tcpdump: Starting Packet Dump
    15:27:00.728112 Port2, IN: IP 173.236.246.209.51886 > 192.168.1.254.25565: Flags
     [ S ], seq 3406861371, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 7],
    length 0
    15:27:01.724509 Port2, IN: IP 173.236.246.209.51886 > 192.168.1.254.25565: Flags
     [ S ], seq 3406861371, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 7],
    length 0
    15:27:03.728260 Port2, IN: IP 173.236.246.209.51886 > 192.168.1.254.25565: Flags
     [ S ], seq 3406861371, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 7],
    length 0
    ??^C
    3 packets captured
    3 packets received by filter
    0 packets dropped by kernel

  • Meanwhile I tried also remaking the rule from scratch, changing ports and way to test them, but didn't work either.

    Strangely enough, I can forward http/s ports just fine by using the WAF, but can't make DNAT to work...

  • Hi,

    your problem is more than likely a double nat. Router then XG. Try putting the router in bridge mode and have the XG manage the internet connection.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    your problem is more than likely a double nat. Router then XG. Try putting the router in bridge mode and have the XG manage the internet connection.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data