Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 517 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Nat always blocked

papali
Hi everyone, I need help!

I want that all traffic from "EXTERNAL" to "PUBLIC_IP2_OFFICE1" forward to "PUBBLIC_IP2_OFFICE2"

This "PUBBLIC_IP2_OFFICE2" is an additional IP address of a branch office connected to OFFICE1 with VPN IPSEC.

The traffic fordwarded don't must on the vpn

OFFICE1 - PUBBLIC_IP1  PUBBLIC_IP1 - OFFICE2
               PUBBLIC_IP2                                     PUBBLIC_IP2
               PUBBLIC_IP3                                     PUBBLIC_IP3

So I created a DNAT and packet filter rule:

DNAT:
ANY to PUBLIC_IP2_OFFICE1 fordward to PUBBLIC_IP2_OFFICE2

PACKET FILTER RULE:
allow ANY from EXTERNAL to PUBLIC_IP2_OFFICE1
allow ANY from PUBLIC_IP2_OFFICE1 to EXTERNAL

The traffic IN is ok.
NAT rule #51   UDP  IP_EXTERNAL_***  :  10003 → IP_PUBBLIC2_OFFICE1 :  10003


The traffic OUT instead is always BLOCKING
Default DROP   UDP  IP_EXTERNAL_*** :  10003 → IP_PUBBLIC2_OFFICE2 :  10003

Thanks for any help!!!


This thread was automatically locked due to age.
  • 0
    Not sure what you want to achieve, but do I read it correctly that traffic from the internet arriving at Office 1 should be redirected over the internet to the public address of Office 2?

    In that case I would work with DNS-records which can easily be changed in case you ever want the destination to change.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Frank, I had difficulty following your explanation, but I see DNAT and VPN together, so I'll guess that you need to replace the DNAT with a Full NAT that replaces the original source with the IP of the UTM.  Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner