Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 647 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to use a custom network zone for S2S IPSec VPN for device access

LHerzog

As the topic describes, I'd like to know if it is possible to use a custom zone for a site-to-site VPN connection over IPSec.

I'm asking to use this new Zone for local Local service ACL on the XG/S.

My goal is to allow HTTPS Webadmin and SSH access on the remote firewall only from the IPSec Site-2-Site Tunnel and not from SSL Remote Access VPN also configured on the remote firewall.

A workaround would be a deny rule for the SSL VPN network but the first approach would be more transparent.



This thread was automatically locked due to age.
  • 0

    Hey ,

    You can use a custom zone, but when it comes to the S2S that network should be shared in that zone where you have allowed that S2S network.

    Meaning you create a zone name: "custom" and then you have custom network X.X.X.X and that is added on the remote network, then it makes sense.

    But otherwise, a option of ACL would be better to allow the SSH/Admin access for that remote network. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Sorry, I do not understand your answer.

    I have not found a way to put site-2-site VPN into a different zone than the default assignment to VPN zone.

  • 0 in reply to LHerzog

    In short a custom zone for LAN/DMZ is possible but for the VPN it will need to be allowed on the VPN zone only.

    When it comes to device access, ACL will be a better option to utilize, if you do not want to enable the option on the default provided zone. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Adding to the conversation - I have a few different types of "VPN" - one set for CORE business traffic links and other sets for 3rd parties.  The problem then is that I have to build out an ACL for every single VPN and spell out all traffic.  I don't mind this from a security perspective for 3rd party traffic, but for the CORE type traffic I need any to any connectivity - and I can't efficiently build that quickly without a different zone if that makes sense.

  • 0 in reply to Matthew LaComb

    You can workaround this with Matched user based firewall rules. As you have an authentication within the SSLVPN/Ipsec remote access, you can allow this traffic based on user/Groups. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    This is for Site to Site VPNs, unfortunately we're not to the point of "user" identification or groups within this instance.  Doing network based ACLs over-complicates things if we could just have a separate zone for VPNs that fit a certain criteria.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?