Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 28 subscribers
  • Views 930 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing between two Sophos XG's on the LAN

Mark H

I have two Sophos XG's at the same site and having issues with routing between them.

XG-1 - 10.1.0.0/16

XG-2 - 10.10.0.0/16

 

On XG-2 I have a Network interface 10.1.0.254/24 on LAN and on XG-1 I have a Network interface 10.1.0.1/24 on LAN.

On XG-1, I created a route 10.10.0.0/16 via 10.1.0.254 and GW 10.1.0.1.

I can ping from a device behind XG-1 to a device behind XG-2. However, I cannot SSH, RDP, or access anything behind XG-1. 

If I SSH into XG-1 and create a bypass-firewall 10.10.0.0/16, I can SSH and RDP or if I create a firewall with destination ANY I can SSH or RDP.

 

Is there anyway I can SSH/RDP to devices behind XG-2 and still be able to do firewall rules without using ANY as destination zone?

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Mark,

    If you create bypass-firewall 10.10.0.0/16 then traffic for the network 10.10.0.0/16 will no longer controlled/managed by firewall rules.

    Does both network XG-1 - 10.1.0.0/16 & XG-2 - 10.10.0.0/16 are connected via switched network internally?

    As per your description I am suspecting issue is due to asymmetric routing where in request and reply packets are not taking the same route/path ( Request packets are probably going through switched network and reply packets are coming to XG and as XG does stateful inspection, it will drop reply packets if request packet was not through the XG)

    Tcpdump to destination IP from both the firewall will help you to track the packets or alternatively you can check with GUI packet capture utility here.

Reply
  • 0

    Hello Mark,

    If you create bypass-firewall 10.10.0.0/16 then traffic for the network 10.10.0.0/16 will no longer controlled/managed by firewall rules.

    Does both network XG-1 - 10.1.0.0/16 & XG-2 - 10.10.0.0/16 are connected via switched network internally?

    As per your description I am suspecting issue is due to asymmetric routing where in request and reply packets are not taking the same route/path ( Request packets are probably going through switched network and reply packets are coming to XG and as XG does stateful inspection, it will drop reply packets if request packet was not through the XG)

    Tcpdump to destination IP from both the firewall will help you to track the packets or alternatively you can check with GUI packet capture utility here.

Children
No Data