Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 24530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to DNAT UDP port 80

MW

I have a client that has an application that requires a DNAT to port 80 via UDP.  Standard rule, External IP with a destination UDP port 80 maps to an internal IP.


But this doesn't work.  In fact, the packet filter rule never logs the UDP attempt at all.  At first we thought it was an application issue, so we changed the app to listen on UDP port 88.   We simply modify the service definition on the DNAT rule...and boom, it works and the packet is logged.


Change it back to UDP port 80....and nothing.  Behind the firewall, the application connects fine on port 80 UDP.

Because the packet isnt shown in the packet filter log it must be getting consumed by a service on the UTM.


Any ideas? 



This thread was automatically locked due to age.
Parents

  • Hi MW:

    are you solve this problem?

    Is add new service definition working for you?

    I have the same situation.

  • in reply to Josh Josh

    We did not.

    We confirmed the issue on two different UTM models at two different locations.  We it wasn't a ITSP issue because a tcpdump shows the UDP packet hitting the external interface.

    As usual Sophos support was unhelpful with their long delays and request to "reboot" and try again.

     

    Eventually we just had to change the application port to a different UDP port.

     

    Now, with that said, we haven't tried it again in probably a year.  So it could have been fixed.  My guess was the packet was getting eaten by web application or other proxy service before hitting the NAT rules.

  • in reply to MW

    Thanks MW for response

    It is so said to hear that. I will continue to do some research on this problem once i fix the problem i will inform to you.

     

    Wish me and you both good luck.

  • in reply to MW

    MW, you might want to try #1 in Rulz.  Also, #2 might help you see what's going on.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks for the tips.

     

    Those rulez are pretty standard practice for our troubleshooting of UTM units....and we troubleshoot alot of them.  At last count we have about 300 units deployed with our customers spread over several SUM units!  Though that number is dropping as we migrate customers.

    We could never find a single log file showing the ingress UDP packet.  Grep would find no trace of it but using tshark would show it.  And we disable IPS, Flood Protection etc as standard practice.

     

    Again, this issue is over a year old for us, but it certainly was a bug we could replicate at the time.

     

    -M

  • in reply to MW

    Hi MV

    there is a good news. Our client UDP 80 port is finally get response from server. 

    1) nothing change for firewall.

    2) we asked our ISPs (Globe network in Philippines) add our Business network into white listing.

    Then it works.

    Of cause our mobile phone share wifi is also work.

    So I think business network do have some special setting on special port.

     

    Hope this message is useful for you.

     

    Thank you and Thank everyone who helped me. 

     

    Josh

Reply
  • in reply to MW

    Hi MV

    there is a good news. Our client UDP 80 port is finally get response from server. 

    1) nothing change for firewall.

    2) we asked our ISPs (Globe network in Philippines) add our Business network into white listing.

    Then it works.

    Of cause our mobile phone share wifi is also work.

    So I think business network do have some special setting on special port.

     

    Hope this message is useful for you.

     

    Thank you and Thank everyone who helped me. 

     

    Josh

Children
No Data
Unfiltered HTML