Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 24529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to DNAT UDP port 80

MW

I have a client that has an application that requires a DNAT to port 80 via UDP.  Standard rule, External IP with a destination UDP port 80 maps to an internal IP.


But this doesn't work.  In fact, the packet filter rule never logs the UDP attempt at all.  At first we thought it was an application issue, so we changed the app to listen on UDP port 88.   We simply modify the service definition on the DNAT rule...and boom, it works and the packet is logged.


Change it back to UDP port 80....and nothing.  Behind the firewall, the application connects fine on port 80 UDP.

Because the packet isnt shown in the packet filter log it must be getting consumed by a service on the UTM.


Any ideas? 



This thread was automatically locked due to age.

  • Does #1 in Rulz give you any hints?

    Cheers - Bob

    EDIT 2017-06-30: Replaced link with one for the new UTM Community.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If you are using the built in Service Definition for HTTP, this is defaulted to TCP, you will need to create a new Service Definition for UDP 80.

    --
    SCA/UTM/XG  Sophos Platinum Partner

  • Hi MW:

    are you solve this problem?

    Is add new service definition working for you?

    I have the same situation.

  • in reply to Josh Josh

    Are you on a home or business internet line? Most residential ISPs will block port 80 on the modem. If its business you have to call the provider to open port 80 on the modem. 

    --
    SCA/UTM/XG  Sophos Platinum Partner

  • in reply to jflex

    Hi Jaesii:

    Thanks for reply quickly.

    I am not sure if our ISPs is open my port. but i do the flowing test:

     

    1) our application use UDP port 80 and client computer is inside in company. Server is outside and use like AWS cloud server.
    2)  client send request to server with UDP 80 and then client get response message.
     
    we do the test like
     
    1) we use moble phone wifi network skip company network(skip firewall) program is working well.
    2) use company network Server can get message from client but client can not get response from server.
    3) if we change the server UDP port from 80 to 82 or 40010 or 8080 it is also work.
     
    I will also check our ISPs for UDP 80 port. But the question is I just want to visited server UDP 80 port. it should be not limited for ISPs.
     
    Thank a lot
  • in reply to Josh Josh

    We did not.

    We confirmed the issue on two different UTM models at two different locations.  We it wasn't a ITSP issue because a tcpdump shows the UDP packet hitting the external interface.

    As usual Sophos support was unhelpful with their long delays and request to "reboot" and try again.

     

    Eventually we just had to change the application port to a different UDP port.

     

    Now, with that said, we haven't tried it again in probably a year.  So it could have been fixed.  My guess was the packet was getting eaten by web application or other proxy service before hitting the NAT rules.

  • in reply to MW

    Thanks MW for response

    It is so said to hear that. I will continue to do some research on this problem once i fix the problem i will inform to you.

     

    Wish me and you both good luck.

  • in reply to MW

    MW, you might want to try #1 in Rulz.  Also, #2 might help you see what's going on.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks for the tips.

     

    Those rulez are pretty standard practice for our troubleshooting of UTM units....and we troubleshoot alot of them.  At last count we have about 300 units deployed with our customers spread over several SUM units!  Though that number is dropping as we migrate customers.

    We could never find a single log file showing the ingress UDP packet.  Grep would find no trace of it but using tshark would show it.  And we disable IPS, Flood Protection etc as standard practice.

     

    Again, this issue is over a year old for us, but it certainly was a bug we could replicate at the time.

     

    -M

  • in reply to MW

    Hi MV

    there is a good news. Our client UDP 80 port is finally get response from server. 

    1) nothing change for firewall.

    2) we asked our ISPs (Globe network in Philippines) add our Business network into white listing.

    Then it works.

    Of cause our mobile phone share wifi is also work.

    So I think business network do have some special setting on special port.

     

    Hope this message is useful for you.

     

    Thank you and Thank everyone who helped me. 

     

    Josh

Unfiltered HTML