This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port forwarding issues

Hello, I am testing UTM9 (home edition for now) to replace our Zywall USG 50 but can't get port forwarding to work. As an example, forwarding HTTP to a server on the lan is set in NAT as:

Traffic Source: Any
Traffic Service: HTTP
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Webserver (defined in Network Definitions)
Destination Service: left blank
Automatic Firewall rule

I cannot get any of the servers to respond. They are all working fine, when I put the ZyWall back in all works perfectly.

It does not seems to be a firewall issue, adding a top rule like any->any->any to allow all traffic did not help.

I also disabled all other services such as IPS, Web Protection, etc. but no luck.

Does anyone have a guess of what could be wrong?

This thread was automatically locked due to age.

0 BarryG over 11 years ago

Hi, please check the logs (firewall, IPS, application control).

Also read https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22065

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 egsadmin over 11 years ago in reply to BarryG

Hello Barry, thank you very much for the feed-back. The hostname was the issue, we can now access the servers.

We still have a bit of an issue though: users can get to the servers from outside but we cannot get a response when going to the FQDN from inside (LAN).

I do not see anything in the logs that helps. Thank you for any suggestions to put us on the right track.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi, you should create an internal DNS entry for the FQDN pointing to the server's internal address; you can do this on the firewall if you don't have a DNS server.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 TheDrew over 11 years ago

If the FQDN points to the UTM's external/public IP address, you'll need to create a full nat for internal traffic.

What happens with a DNAT in this scenario is that the UTM rewrites the destination IP (but not the source) before forwarding the traffic. When the server gets the traffic, it sees the client is on it's network so instead of forwarding the reply back to the UTM, it sends it direct. This confuses the client which drops the traffic.

The full NAT rewrites both the source and destination IP's so that the server sees the UTM as the client, not your internal PC. Traffic then gets routed properly. The only downside is that the server's logs will always show the UTM as the source for any internal traffic. So if you need correct logging by IP for inetrnal clients, this will not work.
Cancel
Vote Up 0 Vote Down

Cancel
0 egsadmin over 11 years ago in reply to TheDrew

Thank you both very much for the feed-back. Full NAT solved the issue, we can live with the loss of logging info so we'll keep it this way.
Best,
Cancel
Vote Up 0 Vote Down

Cancel