Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 382 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advice needed regarding Ports/IP adresses and WAN IP / IPSec

jpvj

Sophos XG 18.0.5 (MR5).

Currently a /30 is assigned as the primary WAN subnet on PortB.

Q1: When adding a subnet to a port, it does not seem possible to pick individual adresses in a FW or NAT rule. I assume NAT and FW are "port based" and not "IP based". Correct?

Q2: In order to be able to use individual adresses in NAT/FW rules we have added 16 adresses from a /28 to PortB, so I can pick and choose per IP when making NAT and FW rules.

Is there any way I could just have added the /28 subnet and achieved the same?

I'm no FW expert, so if I'm completely off-tracked and this approach is "stupid" let me know :-)

Q3: There are currently some IPSec connections configured to use PortB (= Default GW IP) as local gateway.

Due to setup of a redundant connection, we need to change this network to a new /29 subnet.

I am planning to change one IPSec connection at a time, using one of the IP addresses from the /29 subnet (#PortB:xx) instead of the GW (#PortB). This way we can do a slow transfer instead of having all our remote partners doing the change when the WAN IP changes.

Are there any pitfalls using the XG and #Port:xx for the local gateway for IPSec connections?


Thank you for any input!

/JP



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hey ,

    For your Q1: Yes if you're considering adding a subnet directly into the interface with /28, the Firewall /NAT rule will not be able to pick the IP in the rule within the range.

    However, You'll be able to define an IP host with the IP from within that subnet if that works for you.

    For Q2: Could you be more specific about this? Are you concerned with adding a per port-based NAT for that interface with a /28 subnet or just define a host in source or destination within that subnet? ( Feel free to drop in any snapshot to explain if needed)

    For Q3: You can add an Alias IP (PortB:XX) as a local gateway in IPSec connection. IPsec will attempt to connect using that Alias IP via the physical Port. There aren't any pitfalls as far as I know. However, You can do some testing to verify.


Reply
  • FormerMember
    +1 FormerMember

    Hey ,

    For your Q1: Yes if you're considering adding a subnet directly into the interface with /28, the Firewall /NAT rule will not be able to pick the IP in the rule within the range.

    However, You'll be able to define an IP host with the IP from within that subnet if that works for you.

    For Q2: Could you be more specific about this? Are you concerned with adding a per port-based NAT for that interface with a /28 subnet or just define a host in source or destination within that subnet? ( Feel free to drop in any snapshot to explain if needed)

    For Q3: You can add an Alias IP (PortB:XX) as a local gateway in IPSec connection. IPsec will attempt to connect using that Alias IP via the physical Port. There aren't any pitfalls as far as I know. However, You can do some testing to verify.


Children