Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 3761 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT rules not working using Client authenticated IP address?

ErikFranzen

Created a DNT rule which changed IP address to a client authenticated users host. For some reason that did not work. In the FW log there were entries which matched the DNAT rule, but the entries directly after each DNAT rule match was a default traffic drop.

After created a static IP address (the same address as the client authenticated) and updated the DNAT rule, it started to work. No more default drop entries.

Can anyone explain? I believed that there was no constraints using client authenticated user host IP addresses in both NAT and FW rules? I am using Sophos Authentication Agent.

Running Sophos UTM 9.409-9



This thread was automatically locked due to age.
Parents
  • 0

    Hi Erik,

    What changes to the DNAT rule did the trick? Are you trying to access a server internally after being authenticated through Authentication Agent? Try configuring Full NAT in place of a DNAT.

    Thanks

  • 0 in reply to sachingurung

    It started to work when I switched to a static target IP-address instead of an Client authenticated IP address, authenticated via Client Authentication.

    If you have more than one internal IP-network my idea was to use a client authenticated IP address as the target IP address in the DNAT rule. Regardless of which internal IP network I am connecting to, the DNAT rule was supposed to forward IP packets to my computer authenticated IP address. 

Reply
  • 0 in reply to sachingurung

    It started to work when I switched to a static target IP-address instead of an Client authenticated IP address, authenticated via Client Authentication.

    If you have more than one internal IP-network my idea was to use a client authenticated IP address as the target IP address in the DNAT rule. Regardless of which internal IP network I am connecting to, the DNAT rule was supposed to forward IP packets to my computer authenticated IP address. 

Children