This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Peering an Azure VNET to Sophos XG Firewall

Hello, I'm a new network engineer in uncharted territory. I was wondering if I could get some assistance with an Azure VNET I'm trying to peer through a Sophos XG Firewall. I have another Sophos XG going for another project so it isn't entirely foreign to me but that setup is much more direct. I believe the problem is a routing issue but I'm not 100% sure. Here is what I have so far.

I have a resource group with a single server intended to be a production environment. Details:

VNET Address Space: 10.7.0.0/16
Default Subnet: 10.7.0.0/24
Production Subnet: 10.7.1.0/24
Server Private IP: 10.7.1.4
Server Gateway: 10.7.1.1

I have a peering connection setup between the two VNETs. The peering status is connected. Gateway transit is showing disabled on both ends, I didn't have an option to enable it.

My XG Firewall uses the following:

VNET Address Space: 10.8.0.0/16
LAN Subnet: 10.8.0.0/24
WAN Subnet: 10.8.1.0/24
Port A (LAN): 10.8.0.4
Port B has two IP configurations assigned in Azure. I'm using the second config for this server. It is set up as an alias in the XG.
Port B: 10.8.1.5

I have a route table in both VNETs that captures 0.0.0.0/0 and sends it to 10.8.0.4.

I have NAT rules to take traffic coming in on 10.8.1.5 and forward it to 10.7.1.4. There is a LAN to WAN rule with a masqueraded NAT and a LAN to LAN rule. The rules are set to allow HTTP, HTTPS, and an HTTPS service on a different port used specifically by a server application I'm running at 10.7.1.4.

I can ping Port A from the server at 10.7.1.4 but I cannot ping the server from Port A using the XG's diagnostic tools. If I do a traceroute using the XG's diagnostic tools it says it's reaching 10.7.1.4 from the Port B gateway of 10.8.1.1.

Internet traffic is flowing across the LAN to WAN and I can see the server sending data out across the DNAT firewall rule (the server application connects to a couple of services across HTTPS). What I can't do is reach the server from the client application on my PC. I can see traffic for this coming in on Port B with a destination of 10.7.1.4 and that it's being forwarded, but it doesn't seem to be reaching the destination.

I know that it's a routing problem from the XG to the server but I can't figure out what I'm missing. I would greatly appreciate your assistance. Thank you!

EDIT: I should add, I reviewed another post at https://community.sophos.com/sophos-xg-firewall/f/discussions/123217/vnet-peering-with-xg-in-azure but I'm not sure how to apply this fix to my setup. I made an attempt at setting a static IPv4 unicast route on the XG but that didn't solve the issue.

This thread was automatically locked due to age.

0 emmosophos over 2 years ago

Hello there,

Thank you for contacting the Sophos Community.

I think it might help to troubleshoot if you SSH into the XG and do a tcpdump, to see if the XG is passing the traffic down the correct interface or it might be even dropping it.

SSH into the XG and into the advanced shell (5>3)

Do a Ping from your PC to the Server

I am assuming your PC Is on the PortA LAN with an IP in the 10.8.0.0/24 subnet,

So you would do the TCPdump

tcpdump -eni PortA host 10.8.0.10 and host 10.7.1.4

and do another one

tcpdump -eni PortB host 10.7.1.4

see if you see traffic leaving the PortB if not the first tcpdump should say where the traffic is going

additionally, do a drop-packet-capture from the advanced shell also

# drppkt host 10.7.1.4

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel