This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alias adress can not be reached via RED

Hello,

an alias address has been set up on the LAN interface. This alias address can be reached from the LAN and via VPN connections (ping). This network cannot be reached via a Sophos RED at a secondary site.

However, according to Policy Tester, ping is allowed and a firewall rule is configured for the traffic.

An XG firewall is used.

Thank You!

This thread was automatically locked due to age.

Parents

0 Vivek Jagad over 3 years ago

Hello admin_idl,

Thank you for reaching out to the community, so is your RED network configured in a LAN zone ? And if yes do you have rule called LAN to LAN..?
Cancel
Vote Up 0 Vote Down

Cancel
0 admin_idl over 3 years ago in reply to Vivek Jagad

hi,

Yes exactly the Sophos RED is also in the LAN zone like the local interface. Also LAN to LAN rules are configured for the internal traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to admin_idl

Can you perform a packet capture
Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US

And share the result with us to validate whether the traffic is passing from the correct rule when a ping is initiated from RED LAN network to Sophos LAN network...
Cancel
Vote Up 0 Vote Down

Cancel
0 admin_idl over 3 years ago in reply to Vivek Jagad

a ping is running and packet capture has been turned on. Rule 6 is the correct rule.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to admin_idl

So based on the screenshot of the packet capture we can see that the packet is being forwarded from the desired rule but we are not receiving a response from the other end...connection status remains UNREPLIED.

Under the rule no 6, Create linked NAT rule > and under the Translated source (SNAT) option > drop down menu > select MASQ.

And then check the results again...
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad over 3 years ago in reply to admin_idl

So based on the screenshot of the packet capture we can see that the packet is being forwarded from the desired rule but we are not receiving a response from the other end...connection status remains UNREPLIED.

Under the rule no 6, Create linked NAT rule > and under the Translated source (SNAT) option > drop down menu > select MASQ.

And then check the results again...
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 admin_idl over 3 years ago in reply to Vivek Jagad

Hello,

unfortunately nothing has changed although a linked nat rule was created. The connection is still unreplied.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to admin_idl

Still the NAT ID shows 0.
So, can you ensure the fw rule is on the top even after creating the linked NAT rule...
Cancel
Vote Up 0 Vote Down

Cancel
0 admin_idl over 3 years ago in reply to Vivek Jagad

yes, fw rule is on top after creating linked NAT rule but still the NAT ID = 0
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to admin_idl

Can you provide the screenshot of the FW rule created...
Cancel
Vote Up 0 Vote Down

Cancel
0 admin_idl over 3 years ago in reply to Vivek Jagad

I can describe the rule for you:

Source zones: LAN

Source networks and devices: RED_Network

Destination Zones: Any

Destination networks: Any

Linked NAT Rule was created
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to admin_idl

Hey admin_idl,

Thank you for sharing the details, as discussed please raise a support service request to diagnose the issue further...
Cancel
Vote Up 0 Vote Down

Cancel