Static Routing How To

Hello there,

Thanks for reaching out to Sophos Community 

If you remove the static route configured on PC what does tracert shows when you are trying to reach Network 2? 

Further, could you verify if the your configured static routes are in the routing table entry in Advanced Shell? kindly type in route -n

Also, to confirm, does this worked before? and if yes, what changes occured in the FW prior this issue?

Cheers,

If I remove the static route on the PC and I try adding the routes into sophos xg there is no traffic passing. Running tracert shows the first hop as 10.10.10.254 then the 2nd and all subsequent hops has all asterisks.

When I did have the routes in the sophos xg the routes did show by running route -n.

This never worked before as this is something new I'm trying to setup and it is just simply not working as expected.

Hello,

Thanks for the information. Could you also run trace route and ping on Firewall under Diagnostics>Traceroute/ping to the destination address?

Also could you verify if Static routes is on top of routing precedence: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/index.html

Thanks for your time and patience and thank you for choosing Sophos

Cheers,

Just so you know I have a Sophos XG 85 which is only on SFOS 17.5.17 MR-17-Build837 so I don't believe I can do this step of your request. Also could you verify if Static routes is on top of routing precedence: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/index.html

Here is the commands that I entered on the XG to add the routes and the output of the route -n command with my public IP redacted.

Output of traceroute from Sophos XG works fine and so does a ping. But unless I add the routes on the windows PCs no traffic routes on network devices on the LAN to these IPs.

My apologies I guess I can run that command I just don't have SD_WAN. Here is the result of that command.

My apologies I guess I can run that command I just don't have SD_WAN. Here is the result of that command.

I have changed the route precedence to look like this now. Even with doing this though devices on my LAN still cannot ping 192.168.50.0 devices or 10.252.252.0 devices unless I add static routes on those devices.

Hello there,

Thanks for these details. I would suspect you are facing Asymmetric routing issues,Asymmetric routing is when a packet takes a certain path from source host A across the network to destination host B but then a return packet takes a separate path from the source host B to destination host A.

I may recommend adding a bypass configuration from Stateful inspection on your XG device. 

set advanced-firewall bypass-stateful-firewall-config add source_network 10.10.10.0 source_netmask 255.255.255.0 dest_network 192.168.50.0 dest_netmask 255.255.255.0

and add other remaining networks using the same command.

In case you wish to revert the connection entry , if it does not work.

set advanced-firewall bypass-stateful-firewall-config del source_network 10.10.10.0 source_netmask 255.255.255.0 dest_network 192.168.50.0 dest_netmask 255.255.255.0

Then Verify:

View the Bypass Stateful Firewall configuration by executing the following command: show advanced-firewall

Kindly let us know how it goes. Thanks for your time and patience and thank you for choosing Sophos

Cheers,

This worked flawlessly. Thank you so much.

Hello,

You're welcome. Thanks for your time and patience and thank you for choosing Sophos

Cheers,