SD-RED network can't reach XG Network

Hi  ValerioGabrielli 

Please check the traffic flow under Packet Capture for not working traffic and drop packets from CLI will help you to find the firewall rule.

Thanks and Regards

console> drop-packet-capture 'src host 192.168.1.2'                             
2023-01-09 13:13:23 0101021 IP 192.168.1.2.51323 > 192.168.1.1.53 : proto UDP: p
acket len: 95 checksum : 9020                                                   
0x0000:  4500 0073 7982 0000 7f11 3ea4 c0a8 0102  E..sy.....>.....              
0x0010:  c0a8 0101 c87b 0035 005f 233c 680f 0100  .....{.5._#<h...              
0x0020:  0001 0000 0000 0000 095f 6b65 7262 6572  ........._kerber              
0x0030:  6f73 045f 7463 7017 4465 6661 756c 742d  os._tcp.Default-              
0x0040:  4669 7273 742d 5369 7465 2d4e 616d 6506  First-Site-Name.              
0x0050:  5f73 6974 6573 0264 6306 5f6d 7364 6373  _sites.dc._msdcs              
0x0060:  0774 6573 746c 6162 056c 6f63 616c 0000  .testlab.local..              
0x0070:  2100 01                                  !..                           
Date=2023-01-09 Time=13:13:23 log_id=0101021 log_type=Firewall log_component=Fir
ewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_
dev=reds1 out_dev=reds1 inzone_id=8 outzone_id=8 source_mac=94:c6:91:71:55:e1 de
st_mac=00:04:e5:fa:c2:d0 bridge_name= l3_protocol=IPv4 source_ip=192.168.1.2 des
t_ip=192.168.1.1 l4_protocol=UDP source_port=51323 dest_port=53 fw_rule_id=0 pol
icytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 
hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter
_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_cl
assid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=398
8809309 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbrid[0]=0 pb
rid[1]=0 profileid[0]=0 profileid[1]=0                                          
                                                                                
2023-01-09 13:13:23 0101021 IP 192.168.1.2.64440 > 192.168.1.1.53 : proto UDP: p
acket len: 64 checksum : 39548                                                  
0x0000:  4500 0054 7983 0000 7f11 3ec2 c0a8 0102  E..Ty.....>.....              
0x0010:  c0a8 0101 fbb8 0035 0040 9a7c 9e08 0100  .......5.@.|....              
0x0020:  0001 0000 0000 0000 095f 6b65 7262 6572  ........._kerber              
0x0030:  6f73 045f 7463 7002 6463 065f 6d73 6463  os._tcp.dc._msdc              
0x0040:  7307 7465 7374 6c61 6205 6c6f 6361 6c00  s.testlab.local.              
0x0050:  0021 0001                                .!..                          
Date=2023-01-09 Time=13:13:23 log_id=0101021 log_type=Firewall log_component=Fir
ewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_
dev=reds1 out_dev=reds1 inzone_id=8 outzone_id=8 source_mac=94:c6:91:71:55:e1 de
st_mac=00:04:e5:fa:c2:d0 bridge_name= l3_protocol=IPv4 source_ip=192.168.1.2 des
t_ip=192.168.1.1 l4_protocol=UDP source_port=64440 dest_port=53 fw_rule_id=0 pol
icytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 
hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter
_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_cl
assid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=870
678525 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbrid[0]=0 pbr
id[1]=0 profileid[0]=0 profileid[1]=0                                           

console> drop-packet-capture 'src host 192.168.1.2'                             
2023-01-09 13:13:23 0101021 IP 192.168.1.2.51323 > 192.168.1.1.53 : proto UDP: p
acket len: 95 checksum : 9020                                                   
0x0000:  4500 0073 7982 0000 7f11 3ea4 c0a8 0102  E..sy.....>.....              
0x0010:  c0a8 0101 c87b 0035 005f 233c 680f 0100  .....{.5._#<h...              
0x0020:  0001 0000 0000 0000 095f 6b65 7262 6572  ........._kerber              
0x0030:  6f73 045f 7463 7017 4465 6661 756c 742d  os._tcp.Default-              
0x0040:  4669 7273 742d 5369 7465 2d4e 616d 6506  First-Site-Name.              
0x0050:  5f73 6974 6573 0264 6306 5f6d 7364 6373  _sites.dc._msdcs              
0x0060:  0774 6573 746c 6162 056c 6f63 616c 0000  .testlab.local..              
0x0070:  2100 01                                  !..                           
Date=2023-01-09 Time=13:13:23 log_id=0101021 log_type=Firewall log_component=Fir
ewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_
dev=reds1 out_dev=reds1 inzone_id=8 outzone_id=8 source_mac=94:c6:91:71:55:e1 de
st_mac=00:04:e5:fa:c2:d0 bridge_name= l3_protocol=IPv4 source_ip=192.168.1.2 des
t_ip=192.168.1.1 l4_protocol=UDP source_port=51323 dest_port=53 fw_rule_id=0 pol
icytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 
hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter
_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_cl
assid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=398
8809309 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbrid[0]=0 pb
rid[1]=0 profileid[0]=0 profileid[1]=0                                          
                                                                                
2023-01-09 13:13:23 0101021 IP 192.168.1.2.64440 > 192.168.1.1.53 : proto UDP: p
acket len: 64 checksum : 39548                                                  
0x0000:  4500 0054 7983 0000 7f11 3ec2 c0a8 0102  E..Ty.....>.....              
0x0010:  c0a8 0101 fbb8 0035 0040 9a7c 9e08 0100  .......5.@.|....              
0x0020:  0001 0000 0000 0000 095f 6b65 7262 6572  ........._kerber              
0x0030:  6f73 045f 7463 7002 6463 065f 6d73 6463  os._tcp.dc._msdc              
0x0040:  7307 7465 7374 6c61 6205 6c6f 6361 6c00  s.testlab.local.              
0x0050:  0021 0001                                .!..                          
Date=2023-01-09 Time=13:13:23 log_id=0101021 log_type=Firewall log_component=Fir
ewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_
dev=reds1 out_dev=reds1 inzone_id=8 outzone_id=8 source_mac=94:c6:91:71:55:e1 de
st_mac=00:04:e5:fa:c2:d0 bridge_name= l3_protocol=IPv4 source_ip=192.168.1.2 des
t_ip=192.168.1.1 l4_protocol=UDP source_port=64440 dest_port=53 fw_rule_id=0 pol
icytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 
hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter
_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_cl
assid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=870
678525 masterid=0 status=256 state=0, flag0=687196864512 flags1=0 pbrid[0]=0 pbr
id[1]=0 profileid[0]=0 profileid[1]=0                                           

Hello there,

I recommend you move from the 192.168.0 and the 192.168.1 networks, as this will cause issues as your network grows.

What IP behind the Sophos Firewall are you trying to Ping from a computer (IP)  behind the RED? 

Regards,

Hello,

ok I 'll keep in mind, anyway these subnets are just for testing.

Behind the XG there is a host with IP 172.16.16.16, I can't ping it from the host 192.168.1.2 behind the RED, but I can ping 192.168.1.2 from 172.16.16.16

Maybe this issue is caused by the fact that I can't open ports 3400 tcp and 3410 udp on the Cisco firewall beside the  RED?

that's possible.
You need these Ports.