Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 5863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT from Additional IP to a server in(azure) located on remote site via IPsec tunnel

Heine Koldbro Madsen

Hi all,

 

I'm having difficulties natting a simple https request on comming in on a aditional external IP to a server located in azure.

I have a working IPsec connection between my UTM and Azure, and i can browse the site from a local PC on the UTM internal network.

 

I have created a NAT rule like this:

Traffic from: Any

Using service: HTTP

Going to: External WAN (Address of alias) 1.1.1.2

Change destination to: Object created with server IP in azure 172.16.0.10

Service HTTP

 

Local LAN on UTM is 10.0.0.0/24

 

I hope someone can advise how to do this?



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Heine, and welcome to the UTM Community!

    You can't use a DNAT for this, you must use a Full NAT.  Unless you want to use something else, an easy solution is to change the source to Internal (Address).  In this way the remote site will send the response back through the tunnel instead of sending it directly to the requestor where the packets are dropped.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm trying to do the same thing, but my remote server isn't in Azure.  

    I've tried about a dozen different ways to wire it up and am not getting the connections to route through to the server in the other network.

    In my case, I'm running a mail server at a remote site, but want the public endpoint for my mx record at my datacenter (Exchange server, so want to route 25, 80, and 443 to the server).  I'm running a VM with the UTM 9 image, just updated to 9.410-6 a couple nights ago, at DC1, and the same version installed on an SG-230 appliance at DC2.

     

    I want my mx record pointed to a public IP at DC1, but to pass the traffic through the site-to-site IPsec VPN to a server at DC2.

     

    I've tried several combinations of SNAT and DNAT, to no avail.

    My latest attempt was attempting to setup the Full NAT as follows:

    =========================================================

    Matching Condition

    Traffic from: Any

    Using Service: (group containing TCP 25, TCP 80, TCP 443) 

    Going to: External IP (additional IP on WAN interface pointed to by my mx DNS record)

    Action:

    Change Destination to: internal IP of mail server at DC2

    Change Source to: External IP on Wan interface

    Automatic Firewall rule is checked.

    Rule Applies to IPsec packets is not checked (I've tried both checked and not checked, same result each way).

    Log Initial Packets is checked.

    =======================================

    I can see the nat being hit by watching the live log, but it never seems to get to the other network.

    I'm guessing I'm misunderstanding what is supposed to go in the fields, but I can't find a source to straighten me out.

    I've also considered that I don't really know what IP address to put on the "from" for a firewall rule at DC2 to allow the traffic in (assuming it should be the external IP that I set as the "Change Source to" parameter?).  I've got it set to "Any" at this point, but still doesn't seem to work, so guessing it's a problem with the overall Full NAT definition, as I mention above... 

    [EDIT] I also came across a blog post saying not to use a service group, so set it to just HTTPS, still no luck...

    Any help appreciated -- Thanks!

Reply
  • 0 in reply to BAlfson

    I'm trying to do the same thing, but my remote server isn't in Azure.  

    I've tried about a dozen different ways to wire it up and am not getting the connections to route through to the server in the other network.

    In my case, I'm running a mail server at a remote site, but want the public endpoint for my mx record at my datacenter (Exchange server, so want to route 25, 80, and 443 to the server).  I'm running a VM with the UTM 9 image, just updated to 9.410-6 a couple nights ago, at DC1, and the same version installed on an SG-230 appliance at DC2.

     

    I want my mx record pointed to a public IP at DC1, but to pass the traffic through the site-to-site IPsec VPN to a server at DC2.

     

    I've tried several combinations of SNAT and DNAT, to no avail.

    My latest attempt was attempting to setup the Full NAT as follows:

    =========================================================

    Matching Condition

    Traffic from: Any

    Using Service: (group containing TCP 25, TCP 80, TCP 443) 

    Going to: External IP (additional IP on WAN interface pointed to by my mx DNS record)

    Action:

    Change Destination to: internal IP of mail server at DC2

    Change Source to: External IP on Wan interface

    Automatic Firewall rule is checked.

    Rule Applies to IPsec packets is not checked (I've tried both checked and not checked, same result each way).

    Log Initial Packets is checked.

    =======================================

    I can see the nat being hit by watching the live log, but it never seems to get to the other network.

    I'm guessing I'm misunderstanding what is supposed to go in the fields, but I can't find a source to straighten me out.

    I've also considered that I don't really know what IP address to put on the "from" for a firewall rule at DC2 to allow the traffic in (assuming it should be the external IP that I set as the "Change Source to" parameter?).  I've got it set to "Any" at this point, but still doesn't seem to work, so guessing it's a problem with the overall Full NAT definition, as I mention above... 

    [EDIT] I also came across a blog post saying not to use a service group, so set it to just HTTPS, still no luck...

    Any help appreciated -- Thanks!

Children
  • +2 in reply to ShadGates

    Shad, instead of

    Change Source to: External IP on Wan interface

    You want to use the "Internal (Address)" object.  If you select 'Log initial packets' in that Full NAT, you will have a record of the incoming IPs.  Also, you can use a Services Group with HTTP and HTTPS in one rule.

    I would humbly suggest that you don't want to take this approach though...

    The rDNS/HELO check of incoming email traffic is impossible with a NAT from one site to the other.  As those checks usually account for over half of the spam blocks, that's probably not what you want to do.  For that reason, I would run the SMTP Proxy at the site where the MX record points and then have it send the traffic through the tunnel to your server.  I wonder if the inbound HTTP/S traffic couldn't go directly to the site with the mail server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    This worked perfectly.

    I had set things up as you suggest, taking advantage of my "email protection" license on the DC1 site's UTM, so we were on the same page there.  

    I'm in the middle of standing up a new Exchange server at DC1, which will replace the existing server, so I just forwarded all of the ports to the server at DC2 for now (As you suggested, using a service group for the NAT match works just fine), and will re-direct them as appropriate when the new server is in production.

    Thanks for you help,

    Shad

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML