Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 8359 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Complicated issue

Samuel Ip

I cant access my web server which is NAT thru ISP 1 from ISP 2 on the same SG210 with HA.

 

ISP 1

218.x.x.x

Cisco ASA inside [192.168.2.254/24] - Sophos eth0 [ 192.168.2.1/24] with additional address added [ 192.168.2.181]

 

ISP 2

45.x.x.x/28 direct input to Sg210 eth1 

 

Lan 1

192.168.1.0/24

 

Lan 2

192.168.10.0/24

 

Lan 3

192.168.3.0/24

Firewall rules [ Any - Any - Any ] for testing purpose.

Webserver ip -  [ NATted from 218.x.x.x to 192.168.2.181 from Cisco ASA] [ NATted from SG210 192.168.2.181 to 192.168.1.181]

 

Anywhere in the world were able to access the web server with the ip 218.x.x.x except connection thru my  ISP2 [ 45.x.x.x ]

I thought the cisco asa blocked the 45.x.x.x ip and i swap this ISP2 to a diff sophos 135, any internal client behind sophos 135 were able to access the webserver from the same ISP2.

Then i tried another diff ISP [118.x.x.x] plugin into Sg210 and again, i cant access my web server from the ISP3 but it works from sophos 135.

Im not sure if the NAT has screwed up the internal routing or created a loopback like but what im sure is any client from SG210 were unable to access the webserver that is NATted behind the same UTM but different ISP. Accessing the webserver from internal works. i have a Full Nat on the webserver.

 

Can someone shed some lights?

Cost me lots of painkiller for this... 

 

Your input will be appreciated.

 

                   



This thread was automatically locked due to age.
Parents
  • +1

    On your Cisco ASA, do a packet-trace to see if the packet should be allowed.   Then create a CAPTURE to see if it is actually getting out and back.

    My best guess is that the ASA does not know have a routing rule for the return packet.

  • 0 in reply to DouglasFoster

    We do not have access to the ASA. The engineer from the ASA side insist that we have problems on our side. 

    All i can say is, every connection (WAN) from Sophos will not reach the ASA outside. 

     

    Is there any way that i can prove them that the Sophos side is working properly?

  • 0 in reply to Samuel Ip

    Easiest would be for the ASA support people to use the tools I mentioned while you are performing tests.

    If you have a smart switch between UTM and ASA, it may allow you to enable a monitoring port to eavesdrop on all of the traffic between the two devices.   Then you can use WireShark to monitor the packet flow.

  • 0 in reply to DouglasFoster

    DF , thanks for your suggestion. I did request the ASA tech to do a capture but they insisted that there is nth wrong on their side. So i have to do the smart switch method to capture the packet via software. The packet did not arrive the UTM. Again they insisted. So i will have to do the dns thing to get all internal staff to go via internal ip. I assumed this is a temp solution or might be a perm solution. 

    Thanks for all the input.

Reply
  • 0 in reply to DouglasFoster

    DF , thanks for your suggestion. I did request the ASA tech to do a capture but they insisted that there is nth wrong on their side. So i have to do the smart switch method to capture the packet via software. The packet did not arrive the UTM. Again they insisted. So i will have to do the dns thing to get all internal staff to go via internal ip. I assumed this is a temp solution or might be a perm solution. 

    Thanks for all the input.

Children
No Data
Unfiltered HTML