Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 11242 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to narrow down the issue - New Setup

BobTerry

Recently deployed UTM9 on a VM (So I think its Astaro Gateway Software) 9.403-4 and was having issue contacting anything outside of the local network. The setup is as follows WAN->ASA 5500-> Sophos UTM->Default Gateway->Network. With this setup were just looking to use the Web Filtering and Endpoint Protection while keeping the ASA for packet filtering and network protection. In this line of thinking I created a rule in the firewall for any->any->any->allow.

When deployed over the weekend I saw traffic going into the inside interface and the external interface but was still having issues contacting anything outside our network. Looking at the firewall logs I'm seeing a ton of 60003 and some 60001(these just seem to deal with our internal DNS) like whats shown below.

2016:06:04-14:02:59 acu-utm ulogd[4378]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:04:87:00" srcip="23.212.31.89" dstip="192.168.6.23" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="57331" tcpflags="RST"
2016:06:04-14:02:59 acu-utm ulogd[4378]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:04:87:00" srcip="173.252.88.163" dstip="192.168.4.108" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52854" tcpflags="RST"
2016:06:04-14:02:52 acu-utm ulogd[4378]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:04:87:00" srcip="192.168.0.50" dstip="192.168.3.17" proto="1" length="76" tos="0x00" prec="0xc0" ttl="64" type="3" code="0" 

That is about 90% of the packets being dropped but I'm not entirely sure what it means or why its happening. The ASA does the NAT translation so all the UTM should need to do is pass the packets onto the internal computers but it doesn't seem to be doing that. So I then took a look at the ASA log and saw most lines similar to whats shown below.

4 Jun 04 2016 14:36:03 313005 No matching connection for ICMP error message: icmp src inside:192.168.0.49 dst outside:173.252.88.162 (type 3, code 1) on inside interface. Original IP payload: tcp src 173.252.88.162/443 dst 192.168.4.108/44746.
4 Jun 04 2016 14:36:03 313005 No matching connection for ICMP error message: icmp src inside:192.168.0.49 dst outside:173.252.89.130 (type 3, code 1) on inside interface. Original IP payload: tcp src 173.252.89.130/443 dst 192.168.4.108/50360.

This leads me to believe that the packets source ip is getting changed from the internal client IP to the UTM interface which is causing the firewall to drop everything due to mismatches. I feel like the answer is probably setting up NAT but I'm not entirely sure what option I'm looking for. They all seem to want to change the source ip, when I want to preserve the source IP and not have it changed to my external interface IP (which is the 192.168.0.49)

I should also note I do have some standard support time, and have already scheduled a call to assist in the setup, but wanted to do as much legwork beforehand as possible.



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to sachingurung

    Sachin,

    With the current setup we have, there are only two network interfaces and when I attempt to remove them from the interface screen in order to re-add them as a bridged interface it wont allow me to remove the one connected to our internal network due to it being in use by my admin session. Is there a way around this? Its set up on a Windows 2012 Hyper-V so I have access to the physical computer its on if there is a way to do that through command line.

    Thanks

Children
  • 0 in reply to BobTerry

    Hi,

    What error message is flashed? I think you need to log in through a different interface and deploy the rest of the interfaces in bridge mode. Not sure never saw such instance, please post some screenshots.

    Thanks

  • 0 in reply to sachingurung

    Sachin,

    The message is displayed below, and I think (please confirm if I'm correct) that the issue I'm running into now is just that my setup doesn't have enough NICs. I only (as of now, looking at purchasing an additional NIC for our server) have the two interfaces available. One connected to our core switch the other to our firewall.

    Before I do purchase the additional NIC is there any way to set up the bridge interface through the console on the UTM itself instead of the web interface? In case I'm using the wrong descriptors, when I'm referring to console I mean what is below.

    Thanks,

  • 0 in reply to BobTerry

    NICs are cheap, Bob.

    First I looked at an existing interface:

    sophos:/root # cc get_object 'REF_IntEthRedTulsa'
    {
              'autoname' => 0,
              'class' => 'interface',
              'data' => {
                          'additional_addresses' => [],
                          'bandwidth' => 0,
                          'comment' => '',
                          'inbandwidth' => 0,
                          'itfhw' => 'REF_ItfRedReds1Tulsa',
                          'link' => 1,
                          'mtu' => 1500,
                          'name' => 'RED Tulsa',
                          'outbandwidth' => 0,
                          'primary_address' => 'REF_ItfPri1721638124',
                          'proxyarp' => 0,
                          'proxyndp' => 0,
                          'status' => 1
                        },
              'hidden' => 0,
              'lock' => '',
              'nodel' => '',
              'ref' => 'REF_IntEthRedTulsa',
              'type' => 'ethernet'
            }

    Then, I changed the Interface to "'Type: Ethernet Bridge" and looked again:

    sophos:/root # cc get_object 'REF_IntEthRedTulsa'
    {
              'autoname' => 0,
              'class' => 'interface',
              'data' => {
                          'additional_addresses' => [],
                          'ageing' => 300,
                          'arp_bcast' => 0,
                          'comment' => '',
                          'converted_from_hw' => 'REF_ItfRedReds1Tulsa',
                          'forwarded_ethertypes' => [
                                                      '88B7'
                                                    ],
                          'itfhw' => 'REF_ItfBriBr0',
                          'link' => 1,
                          'mtu' => 1500,
                          'name' => 'RED Tulsa',
                          'ports' => [
                                       'REF_ItfBriReds1RemotEther',
                                       'REF_ItfBriEth2IntelCorpo'
                                     ],
                          'primary_address' => 'REF_ItfPri1721638124',
                          'proxyarp' => 0,
                          'proxyndp' => 0,
                          'status' => 1,
                          'stp_fd' => 0,
                          'stp_hello' => 0,
                          'stp_maxage' => 0,
                          'stp_prio' => 0,
                          'stp_status' => 0,
                          'use_dhcp' => 0,
                          'virtual_mac' => '00:00:00:00:00:00'
                        },
              'hidden' => 0,
              'lock' => '',
              'nodel' => '',
              'ref' => 'REF_IntEthRedTulsa',
              'type' => 'bridge'
            }

    Not something I would think could be modified by hand.  WebAdmin and the config daemon handle all of the changes in a single pass.

    Cheers - Bob

  • 0 in reply to BAlfson

    Thanks for the replies, its much appreciated, the same goes for the explanation on what happens when changing the interface inside the UTM.