UTM: Accessing Internal or DMZ servers from Internal Networks using DNAT

  • Article ID: 115191
  • Rating:
  • 17 customers rated this article 4.4 out of 6
  • Updated: 10 Dec 2013


When using DNAT, accessing the external address of an internal server from the internal network does not work correctly. In your web browser an error will appear, such as: Host not found.

Requests coming from external networks work properly.

Known to apply to the following Sophos product(s) and version(s)


Sophos UTM Software Appliance

Operating systems

Sophos UTM OS

Cause

This issue occurs as a result of the way NAT translation works on the UTM.
 
When the client makes a request destined for the external address of an internal server, the UTM changes the destination address of the request and then forwards it on to the server's internal address.
When the server receives the request, the source is the client's internal address, which it responds to directly. In most network configurations, the response does not pass back through the UTM (it goes directly to the client, through the switch).
 
The source address of the response is the server's internal address, which usually results in a failed connection, because the client receives a response from a different address than it sent the request to (internal, vs external address). 

What To Do

This issue can be resolved in two ways: either by forcing all connections from internal clients to use the internal address of the server instead of the external address (normally by modifying DNS entries), or by creating a Full-NAT rule to translate the source address of the request as well as the destination. This forces the response from the server to go back through the UTM, and is therefore NAT-translated back such that the response comes from the server's external address instead of it's internal address.

If the UTM is used as a DNS forwarder:

By setting a static DNS entry in the UTM, all references to the internal server will point to the correct internal address, rather than the server's public address. 

  1. In WebAdmin, browse to Network Services | DNS | Static Entries.
  2. If using UTM 9.1+, Click Static Entries.
  3. Click New network definition...
  4. Enter a name for the new entry.
  5. Under Type, choose Host.
  6. Under IPv4 Address, enter the internal address of your server.
  7. Expand DNS Settings.
  8. Under Hostname, enter the FQDN of your server's external address, eg. www.example.com
  9. Add any additional hostnames as required into the Additional Hostnames box.
  10. Click Save.

Once done, DNS lookups sent to the UTM for the affected hostname will return the server's internal address instead of its external address, and internal clients should be able to connect without issues.

If the UTM is not used as a DNS forwarder: 

If the UTM is not used as a DNS forwarder, you can either perform steps analogous to the above on your DNS server, or create a Full-NAT rule on the UTM to allow it to forward traffic properly.

  1. Browse to Network Protection | NAT | NAT.
  2. Click New NAT rule...
  3. Under Position, change the number such that it is the same as your existing DNAT rule.
    • This will cause the new rule to be immediately above the existing rule.
    • If the Full-NAT rule is below the DNAT rule, the DNAT rule will apply instead, and the Full-NAT rule will not work.
  4. Change Rule Type to Full NAT (Source + Destination).
  5. Under For traffic from, choose your affected internal network.
    • For example: Internal (LAN) (Network)
  6. Under Use service, choose the appropriate service or group of services (eg. HTTP, HTTPS, etc).
  7. Under Going to, choose the external address of the server to be forwarded.
    • For example: External (WAN) (Address)
  8. Under Change the destination to, choose the internal address of the server.
  9. Under Change the source to, choose your UTM's internal address object for the appropriate internal network.
    • For example: Internal (LAN) (Address)
  10. Ensure Automatic Firewall rule is checked. Otherwise, ensure you create the appropriate firewall objects.
  11. Click Save.
  12. Activate the new Full-NAT object.

Once the rule is active, connections from the affected internal network sent to the server's external address should be forwarded correctly, and the server should be able to respond without issues. The existing DNAT rule will still work for connections coming from external networks. 


 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments