This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IP switchboard does not communicate with the network on the other side of the Site to Site VPN

I have the following problem.

An IP switchboard and I need branch office phones to register with that switch. There is a Site-to-site VPN, between head office and branch, the telephone exchange is in the head office, network 10.20.1.0/24, branch network is 10.30.1.0/24.

There are some inbound NAT rules, for SIP and other protocols, packets arrive on a WAN alias and are routed to the switch on IP 10.20.1.220.

When the switch tries to get to some device on the branch network, 10.30.1.0/24, it doesn't go through the VPN, it insists on trying to leave through the Reflective NAT, in this way the communication between the IP devices and the switch does not work.

How can I resolve this?

Thanks !

This thread was automatically locked due to age.

Parents

0 emmosophos over 3 years ago

Hello there,

Thank you for contacting the Sophos Community.

If you do a GUI packet capture, what is the Firewall rule that your switch is using?

What is the precedence of your routes?

console> system route_precedence show

console>

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 IvanildoGalvão over 3 years ago in reply to emmosophos

The IP telephone exchange always uses the correct firewall rule, that of the IPSEC tunnel to reach the branch, but insists on trying to leave through the Reflexive NAT, created along with the DNAT for the SIP port.

It was supposed to be 10.20.1.220 >>>>>>IPSEC>>>>>>> 10.30.1.0/24
But it's being 10.20.1.220 >>>>>>>NAT Reflexive WAN >>>>>>> 10.30.1.0/24
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 IvanildoGalvão over 3 years ago in reply to emmosophos

The IP telephone exchange always uses the correct firewall rule, that of the IPSEC tunnel to reach the branch, but insists on trying to leave through the Reflexive NAT, created along with the DNAT for the SIP port.

It was supposed to be 10.20.1.220 >>>>>>IPSEC>>>>>>> 10.30.1.0/24
But it's being 10.20.1.220 >>>>>>>NAT Reflexive WAN >>>>>>> 10.30.1.0/24
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 IvanildoGalvão over 3 years ago in reply to IvanildoGalvão

console> system route_precedence show
Routing Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to IvanildoGalvão

Hello Ivan,

Thank you,

So the GUI Pcap shows the traffic using the correct Firewall rule which is the LAN to VPN rule, but then you see additionally the NAT rule is applied?

Try changing the precedence to be VPN routes >> Static >> SD-WAN

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 IvanildoGalvão over 3 years ago in reply to emmosophos

It looks like it reslveu, when I changed the precedence to:

Routing Precedence:
1. VPN routes
2. Static routes
3. SD-WAN policy routes

A branch host started to ping the switchboard at the headquarters, but they are still going to do tests on the registration of the extensions and telephone connection.
Cancel
Vote Up 0 Vote Down

Cancel

IP switchboard does not communicate with the network on the other side of the Site to Site VPN

Submitted a Tech Support Case lately from the Support Portal?