Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 947 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG-FW Port forward over IPSec tunnel to device azure

Tony ON

Hi,

 

I have an on prem XG Firewall physical. I have a IPsec link to azure and i have a server sitting in the cloud which i can contact no problems over the IPsec tunnel.

i want to forward a port to the device in azure from external through the IPSEC tunnel but when i create a rule it does not work.

 

Do i need to add a static route or something in the XG firewall ? im a little confused as everything else works perfectly.

so i want to go from internet to XG device through IPsecTunnel to Device in cloud.

 

 

thanks



This thread was automatically locked due to age.
Parents
  • 0

    VTI (virtual Tunnel interface) or Policy Based Tunnel? (V18 or V17.5?)

     

    In V18 with a VTI Tunnel, you simply need a static route. I would recommend to use this technique. 

    In V17.5 or a Policy based Route, you need a Policy for it. So to call you need to select local and remote network to match. XG will forward this traffic.

     

    Or you need a DNAT. Depends on your setup. 

  • 0 in reply to LuCar Toni
    Hi thanks for your reply. I am using 17.5, can you explain a little more on how i would create a policy based route to achieve this ? local network is 192.168.21.0 and remote is 192.168.22.0 i can ping the host i need to get to from local subnet and even from the actual firewall console.
  • 0 in reply to Tony ON

    If you can ping them, than the route is there. You simply need a Firewall Rule to allow the traffic from XG site. Rest would be to check in Azure. NSG (Network security group) may block the traffic. 

Reply Children
  • 0 in reply to LuCar Toni

    It doesn't seem to get the traffic from the local lan to the azure lan. everything is open including the NSG on azure end.

    its like the IPsec tunnel is ignoring the traffic....

     

    IPsec tunnel is set for source LAN to Azure LAN

    would it perhaps block the traffic as it appears to be coming from external ?

     

    thanks again

  • +1 in reply to Tony ON

    OK i found the solution. With help from sophos support, 3rd engineer lucky knew a nice trick. :)

     

    My suspicion was correct, the IPSEC tunnel was ignoring the traffic as it was coming from external source.

    To fix it we modified my DNAT rule and created a NAT from an unused IP from the local subnet to, 

    allow for the traffic to pass through. I spent the entire day on this one. Hope it helps someone else.

    This allowed me to port forward to my device on the remote site over an IPsec tunnel, from the internet