Hi @all,
I'm going crazy about this and I'm thankful for every hint^^
There is a main router firewall (Cisco ASA) which provides a lot of S2S VPN's. The ASA will be replaced by Sophos XG in future. Because of the big amount of zero-documented S2S's, tons of policies, and a few DMZ networks, we decided to replace the ASA step by step.
For now the sophos is a SSLVPN Gateway for remote access and its working for all ASA networks with correspondent ASA Firewall rulesets, but not for ASA provided S2S Tunnel ressources (later called ASA-S2S-net). Sophos seems to be the root cause. This is my setup:
Sophos is installed as non-gateway firewall and got a route to LAN:
Sophos 10.222.0.1 -> Core Switch 10.222.0.254 -> ASA 10.1.0.1
To use Sophos for Remote Access SSLVPN I entered a public IP Gateway and setup Remote Access
WAN -> Sophos 89.89.89.89 -> 172.16.0.0/20
Because of the ASA provided S2S ressources, I extended the Sophos SSLVPN Profile to newly created host-items:
Permitted ressources: LAN + ASA-S2S-net-1
And set new static routes for those networks
ASA-S2S-net-1: 192.168.120.0/21 via LAN-INT
And of course I extended the concerning Firewll Policy to permit access from SSLVPN to LAN + ASA-S2S-net-1
+ Rebooted Sophos
- When I ping a ASA-S2S-net-1 host from SSLVPN Client network, I get an answer from Sophos "Destination Host unreachable", but my pings weren't even logged.
- When I ping via diagnostic tools: 100% packet loss
- When I lookup route via diagnostic tools:
192.168.120.97 is located on br0 >>> this is actually right
192.168.120.97 is not behind a router >>> how is this message provided? I mean ASA is the router, but the next hop is a routing core switch. But that shouldn't break it, right?
I have to miss a thing, I don't get it running 
Any ideas on this?
cheers,
Vanessa
This thread was automatically locked due to age.
