Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG v18 - VPN over 2 Firewalls inside the same LAN network

Andreas Georgiou

Hello to all, I am having a bit of a complicated scenario here, I will try to explain it as best as I can


We currently have a setup for one of our clients with a Sophos XG using SSL VPN to provide remote access to users working from home. The original scenario worked perfectly and we were able to provide users with access to specific resources.


We know need to also provide access to a remote server that is located within the same network but on a different location. The new scenario is as follows:


a) Client has multiple branches that inter-connect with each other through their own private fiber network. Each remote site has its own switches, so no routers are involved in this. Each site operates with its own sets of VLANs.

b) Server will be located behind another firewall (currently we do not know exactly which brand it will be, this firewall will be managed by another company. Same goes for the server)

c) We need to provide access to remote server for clients working from home. So traffic needs to pass first from XG -> travel through the internal network via VLAN 900 (designated for this specific remote site) -> pass through to the remote firewall -> reach remote server



Our initial thought was to connect remote users via SSL VPN then do an IPsec link with the remote firewall in order to provide access to the remote server. Can this be done?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Andreas Georgiou said:
    Client has multiple branches that inter-connect with each other through their own private fiber network. Each remote site has its own switches, so no routers are involved in this. Each site operates with its own sets of VLANs.

    Are you able to access remote resources(remote machines, servers) from the local network of XG?

    If yes, then please check the connectivity to the remote resources directly from XG. If they're not reachable from XG then try adding a static route to one of the remote servers with a specific LAN interface and then check the connectivity. If you get the reachability then you'll just need to add reverse routes on XG to remote networks.

    If any of the above doesn't work then an IPsec tunnel would be required between XG and other location firewalls.

    It would be great if you can share a rough diagram of your network environment.

  • 0 in reply to FormerMember

    Hello Yash and thank you for your reply... is this diagram better?

    We have communication between the two firewalls but not beyond that.

    Keep in mind: The remote users currently have access to all sites via SSL VPN (different users have access to different resources) but we also need to give them access to the remote server subnet. I will have a talk with the people responsible for the remote FW, but i think an IPsec link between the two firewalls would be the best option. How can we setup an IPsec link using a VLAN subinterface? (all subinterfaces are created on Port 1 which is a member of the LAN zone)

    Thank you

  • 0 in reply to Andreas Georgiou

    Hello do you have any updates on this?

  • FormerMember
    0 FormerMember in reply to Andreas Georgiou

    Are you able to access remote resources(remote machines, servers) from XG and from the local network?

    If they're reachable from a local network but not from XG then try adding a static route on XG to one of the remote servers with a specific LAN interface and then check the connectivity.