Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2 SOPHOS XG + 2 LAN INTERFACES ROUTING PROBLEMS

Angel Vallvidrera

Hi, and sorry for my poor english.

I have 2 Sophos XG 18 connected to LAN with the same Switches. The first Sophos (Intel Hardware) have 2 WAN + 1 LAN (172.16.1.10/12) + 1 WIFI (192.168.100.1/24) the second sophos (vmware) have 2 WAN + 2 LAN (100.64.0.1/16 and 172.16.1.9/12 + 1 WIFI (with some AP55 + 5 SSIDs) + 4 VPN SSL with 3 remote offices. The new Sophos XG works fine, can I see all networks, VPNs to LAN1, VPNs to WAN, some WIFIs SSIDs to VPNs and LAN1... now I have connected the two Sophos with a IPSec Site-to-Site Tunnel, and obiusly, the LAN2 in the Second Sophos are set to None.

I'm trying and read all posts in this community to set the LAN2 Interface to IP 172.16.1.9/12 to remove the IPSec Tunnel, 1.- Add new Zone (LAN2), 2.- Assign LAN2 Zone to interface PORT B, 3.- Assign Static IP to PORT B (172.16.1.9), 4.- Save changes... I see the Network 2 (172.16.0.0/12) from Sophos, but not from VPNs and WIFIs, from first Sophos can't see the Network 1 (172.16.0.0/16)... i'm writing Firewall rules: source LAN, LAN2, VPN destination LAN, LAN2, VPN Accept, we write a Sophos 1 route to see the Sophos 2 network: destination 100.64.0.0/16 Gateway 172.16.1.9 interface (none) metric 0... and nothing seems work, only the IPSec Tunnel.

The offices has to access to some resources in the 172.16.0.0/12 network, and this network has to access to some resources of 100.64.0.0/16 network.

Anyone can help me please?

Thx for advance



This thread was automatically locked due to age.
  • 0

    Can you show us a network map? Maybe in Paint would be fine. 

    PS: Try to use route based VPN. 

  • 0

    This is more or less the network map. Now Port B is a IPSec tunnel that works fine, but i don't wanna depend of IPSec, because Company B WANs going Down frequently (provider problems), and obviously for network speed and traffic.

    Route based VPN? I don't know what is this...

    Thx

  • 0 in reply to Angel Vallvidrera

    So you want to replace IPsec by a static route. We are talking about the connection between Company A and B (172.16.1.10)? 

  • 0 in reply to Angel Vallvidrera

    The companies A anb B, before, are only one Company and use the same electronic for all (switches). Now are two diferent Companies A and B (A is the new Company) but some resources still are in Company B for a year or more.

    I need all new Company, including Remote Offices, get access to Company B network... Now works all fine with an IPSec Tunnel, Company A and SSL VPNs can access without problems to Company B network. I wanna change IPSec Tunnel with a LAN cable (Company A - Port B to Switch Company B, because can't add another LAN interface to Sophos of Company B).

    Thx

  • 0 in reply to Angel Vallvidrera

    As I understood your network diagram,

    Your traffic flow would be,

    From Lan zone:

    LAN(100.64.0.0/16) --->PortA(100.64.0.1/16) companyA XG --->PortB(LAN2-172.16.0.1/12)----> switch ---- (172.16.0.0/12)

    From WIFI Zone:

    WIFI---> (Port E) companyA XG---> PortB(LAN2-172.16.0.1/12)----> switch ---- (172.16.0.0/12)

    From VPN Zone:

    SSL VPN---> companyA XG---> PortB(LAN2-172.16.0.1/12)---- switch ---- (172.16.0.0/12)

    On companyA XG

    firewall rule should look like:

    Source zone: LAN, WIFI,VPN

    Destination zone : LAN2

    Source and destination network can be set to  Any or as per your requirement.

    Along with this, try to create linked NAT rule with source translation as MASQ.

    With source translation as MASQ, you would be able to access company B network(172.16.0.0/12)

    Considering PortB(LAN2) of companyA is set to 172.16.0.1/12)

    As per your initial description, you have set correct firewall rule, however linked NAT rule might not bet configured due to which reply packets are going to default gateway(company B XG) and probably  getting dropped there.