Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 901 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG site-to-site IPSEC VPN - block only devices from site B from reaching site A

Aaron Berger

Hey Guys,

So, I have created a site-to-site VPN between a Sophos XG and a 2nd network which has an NBN modem. Link is up, stable and I can reach devices both ways. I really only want site A (the XG side) to be able to reach devices on site B and only one device (which has a static IP) on site B to be able to access site A. I'm using the "automatic VPN rule" created when I configured the IPSEC VPN.

If I want to block all devices on site B except for one device with a static IP from accessing devices on site A, could I just remove the site A LAN subnet from the "destinations & services" section in the rule on the XG and add just that single IP to the rule, or will that cause issues?

Is there a better way I should be doing this?

Kind regards

Aaron



This thread was automatically locked due to age.
  • 0

    Hi Aaron Berger,

    If you want your LAN user of Site B to stop accessing the Site A network, At site B please modify LAN to VPN firewall rule and specify the IP hosts you want to allow to reach from Site B to Site A or if you want to block it completely, you can select drop action in LAN to VPN firewall rule at site B.

  • 0 in reply to Keyur

    Hey Keyur,

     

    Thank you for your reply. Site b has a standard NBN modem which does not support firewall rules.

    So, from the XG site A side, how can I block all LAN IP from site B except for 1 IP?

  • FormerMember
    0 FormerMember in reply to Aaron Berger

    Hi Aaron,

    To configure the firewall rule on the Site A XG firewall, instead of the "automatic VPN rule", you could create a new "VPN to LAN" firewall rule, in which you allow only the single IP address of Site B network.

    Alternatively, you could manually modify the auto created VPN rule, to only allow that IP address from VPN to LAN.

    Please see below example for the VPN to LAN zone and MASQ is not needed.

  • 0 in reply to FormerMember

    Ahh that's what I needed, I'll give this a shot. Thanks Captain_A!