Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 6914 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I view all traffic related to a specific device?

nyc2mia

Hi, experts,

I have a network device that works when I plug it directly into my cable modem, but doesn't, when I plug it in behind the UTM (9.406-3).  In an effort to identify the traffic that needs to be allowed, I've checked the Firewall, IPS, WAF, Application Control and Middleware logs, but none provide any hints as to what's going on with this device.

The device is a remote access point with an IP phone connected to it.  There is definitely traffic going through the device, because it's able to connect back to the corporate network and assign the phone an IP address.  Why can't I see any of this traffic in any of the logs I've reviewed?

I have an SNAT (internal network/any/any -> src xlate external addr) and four DNATS (1. email gateways/privsmtp/ext addr -> dst xlate SMTP, 2. any/https/ext addr -> dst xlate webserver, 3. any/ssh/ext addr -> dst xlate ssh server and 4. corp endpoints/any/ext addr -> dst xlate rap device).  For some reason, that last DNAT does NOT break my regular VPN client (and I'm glad, because I can still work) - maybe because it's initiated by my workstation and is considered initiated session traffic.

Can anyone help?!  What should I be looking at?  I can provide as much or as little detail as necessary.  Any assistance would be greatly appreciated.

Best regards,

Edgar T.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Edgar,

    So are you trying to host an internal server externally or do you want to access internet on devices connected to UTM's LAN?

    If you are trying to host an internal server- try DNAT and refer : community.sophos.com/.../115145

    If the devices do not have internet behind UTM, check if you have the DNS forwarders and NAT> MASQ rule in place.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi, sachingurung,

    Thank you for your response!  I do have a couple of internal servers that I can successfully access from the outside.  As mentioned, I have a few DNATs already set up.

    What I'm trying to do is connect to my corporate network through a VPN device.  I have physical/visual confirmation that some traffic is getting to/from/through the device, because the IP phone connected to it is able to get a valid IP address.  However, there is some critical traffic that's getting blocked, because I can't connect to the SSID being broadcast by the device from my PC (that's how I would access my corporate network), nor can I make or receive calls on the IP phone (I don't get dial tone).
    I'm trying to figure out what traffic is being blocked, so that I can create rule(s) to let the necessary traffic through.  The problem is that, when I check the logs, I can't see any reference to the MAC address of the device, nor the internal IP (my network) of the device.  I don't know where else to look.
    What I really need is to put that device in a DMZ (since I know it works without the UTM in front of it), but I don't know how to do that with the PC I'm running Sophos UTM on, since it doesn't have any additional PCI slots or USB ports for an additional interface.  Is there a way to emulate a DMZ by disabling all filtering for a specific device, whether it be by MAC or IP address?
    Also, do you have any quick reads on MASQ versus NAT?  I've read that I can't use NAT with MASQ, so I'm not sure if there's a problem there.
    Best regards,
    Edgar

    UTM 9 Home Use

  • 0 in reply to nyc2mia

    Hi,

    Here, is your corporate network is behind UTM? So far I understand that you have servers hosted through UTM via DNAT. 

    "What I'm trying to do is connect to my corporate network through a VPN device.  I have physical/visual confirmation that some traffic is getting to/from/through the device, because the IP phone connected to it is able to get a valid IP address." 

    Why is a VPN connection required and which devices makes a VPN connection and of what type?

    "However, there is some critical traffic that's getting blocked, because I can't connect to the SSID being broadcast by the device from my PC (that's how I would access my corporate network), nor can I make or receive calls on the IP phone (I don't get dial tone)." 

    If you are investigating drops, take SSH to UTM and  look into the packetcapture.log. Which device is broadcasting the SSID, is it an AP connected to Sophos or a router connected to the switch.

    You need a MASQ rule to NAT the internal IP to external WAN address.  

    Please provide concise information and follow one question per post rule. That makes it easier and simple.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • 0 in reply to nyc2mia

    Hi,

    Here, is your corporate network is behind UTM? So far I understand that you have servers hosted through UTM via DNAT. 

    "What I'm trying to do is connect to my corporate network through a VPN device.  I have physical/visual confirmation that some traffic is getting to/from/through the device, because the IP phone connected to it is able to get a valid IP address." 

    Why is a VPN connection required and which devices makes a VPN connection and of what type?

    "However, there is some critical traffic that's getting blocked, because I can't connect to the SSID being broadcast by the device from my PC (that's how I would access my corporate network), nor can I make or receive calls on the IP phone (I don't get dial tone)." 

    If you are investigating drops, take SSH to UTM and  look into the packetcapture.log. Which device is broadcasting the SSID, is it an AP connected to Sophos or a router connected to the switch.

    You need a MASQ rule to NAT the internal IP to external WAN address.  

    Please provide concise information and follow one question per post rule. That makes it easier and simple.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?