Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 3735 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT rules not working using Client authenticated IP address?

ErikFranzen

Created a DNT rule which changed IP address to a client authenticated users host. For some reason that did not work. In the FW log there were entries which matched the DNAT rule, but the entries directly after each DNAT rule match was a default traffic drop.

After created a static IP address (the same address as the client authenticated) and updated the DNAT rule, it started to work. No more default drop entries.

Can anyone explain? I believed that there was no constraints using client authenticated user host IP addresses in both NAT and FW rules? I am using Sophos Authentication Agent.

Running Sophos UTM 9.409-9



This thread was automatically locked due to age.
Parents
  • 0

    Hi Erik,

    What changes to the DNAT rule did the trick? Are you trying to access a server internally after being authenticated through Authentication Agent? Try configuring Full NAT in place of a DNAT.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    It started to work when I switched to a static target IP-address instead of an Client authenticated IP address, authenticated via Client Authentication.

    If you have more than one internal IP-network my idea was to use a client authenticated IP address as the target IP address in the DNAT rule. Regardless of which internal IP network I am connecting to, the DNAT rule was supposed to forward IP packets to my computer authenticated IP address. 

  • 0 in reply to ErikFranzen

    Erik, I can't visualize what didn't work...

    DNAT : Any -> Any -> Erik (User Network) : to ????

    or

    DNAT : Any -> Any -> ???? : to Erik (User Network)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Okay. The following did not work for unknown reason: DNAT : Any -> External-interface -> Erik (User Network)

    The client Erik was authenticated using correct IP-address.

  • 0 in reply to ErikFranzen

    When you hover over the "Erik (User Network)" object, does it show that it resolves to your IP?  I've not had much luck populating such objects using the Agent.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to ErikFranzen

    When you hover over the "Erik (User Network)" object, does it show that it resolves to your IP?  I've not had much luck populating such objects using the Agent.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML