Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 23177 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT Setup not working

Maik Purwin

Hi,

i have installed latest XG 17.03 MR-3 as Nat Setup. I have Port1 for Lan (static) and Port2 for WAN (static). Routing from WAN is like that: WAN -> ISP Router -> XG -> Clients . I want to use DNAT for e.g. SSH to rewrite from Port 2222 to 22. I read DNAT Howto and set it up like this. It has worked one time, but since that any more. Firwall Rule is like that:

  • Source = WAN
  • Allowed Networks = Any
  • Blocking = empty
  • Destination = Server-IP (Client LAN)
  • Service = i created a new one for Port 2222
  • Rout to = Server-IP (Client LAN)
  • Port = 22
  • Zone = LAN
  • Change Port = unchecked
  • Default for advanced options, no masqu, no reflex rule
  • Firwall Logging = checked

I cant see any hint of Problems in Logs. Any help?

thx



This thread was automatically locked due to age.
  • 0 in reply to Ronak Sheth

    Hi,

    no screen, but configuration is on top and network is like that:       

    • Port1
    • LAN
    • Physikalisch
    • Verbunden
    • Automatisch ausgehandelt   
    • 192.168.0.4/255.255.255.0
    • Statisch
                     
    • Port2
    • WAN
    • Physikalisch
    • Verbunden
    • Automatisch ausgehandelt
    • 192.168.1.3/255.255.255.0
    • DHCP

    hope that helps.

  • 0

    Hello Maik,

     

    in my eyes there are two false settings:

    As "Destination" you must define the external WAN-IP of the xg, which will be contacted from the client outside.

    The second thing you must change is: You must set the portmapping by checking of "Change Destination Port(s)": 2222 to 22. This will be changing the destinationport from 2222 to 22.

     

    For me it should be look so:

    Source = WAN
    Allowed Networks = Any
    Blocking = empty
    Destination = WAN-Interface of XG, which in contacted from the client outside
    Service = i created a new one for Port 2222
    Forward to = Under "Protected Server" use the Server-IP (Client LAN)
    Mapped Port = 2222 to 22 (check the flag "Change Destination Port(s)")
    Protected Zone = LAN
    Change Port = checked
    Default for advanced options, no masqu, no reflex rule
    Firwall Logging = checked

    GOOD LUCK!

     

    Mario

  • 0 in reply to Maik Purwin

    Hello Maik,

    this changes a little bit.

    You don't have i public-ip on your wan-interface, instead you have a transfer-net between the isp-router and the xg.

    Therefore on the isp-router must be existing a portforwardingrule, which will be forward the traffic from the isp-router to the xg.
    In your case you need a portforwardingrule on the isp-router, which will be forward every traffic for the isp-router-wan-ip:2222 to xg-port2-ip:2222.

    And make sure, that the isp-router don't use ipv6 (e.g. with ds-lite) for his connection to the internet. In this case i mean (but i'm not sure), you don't have the possibility to connect your xg via public-ip from outside.

     

    Mario  

  • 0

    Hi Mark,

    As you have a ISP router in place ,you XG firewall does not have a public IP (unless you have bridged the ISP router). 

    Configuration on ISP router

    Create a Virtual host/DNAT rule for port  Source as 1:65535 or * and destination as 2222 mapped to port 22222 to XG firewall WAN interface.

    Configuration on XG

    Create a DNAT rule  , Services 2222

    Forward to IPaddress of your system you would like to take SSH and mapped port would be 22.

    Apply NAT MASQ and SAVE.

     

     

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Hi to all,

    and sorry for my late reply, but i was very busy. I now have time to reinvestigate this problem and what should i say it works. i have changed nothing and the DNAT works. I think it was the underlying virtualisation, which got an update a few days ago.

    solved

Cookie Information Banner