Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 26 subscribers
  • Views 15581 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED XG (Client) to XG (Server) do I need routing?

DevonNoonan

Hey again folks!

So I have two XG210 firewalls running on 16.01.1 and I have created a RED tunnel between the two with one acting as the server (SiteA) and one as the client (SiteB). The connection is set in the LAN zone.

The tunnel is up according to both SiteA and SiteB and I am able to ping the firewall internal IPs from both sides.

I can't ping or connect to anything behind either firewall. Do I need to set up static routing?



This thread was automatically locked due to age.
  • 0

    Yes,

    Static routing is needed and also a LAN to LAN firewall rule to allow traffic.

  • 0 in reply to lferrara

    Hi Luke,

    How would I set the routing up.

    I had put a Unicast IPv4 rule in on both sides like the following:

    Site A is on 192.168.0.0/20

    Site B is on 172.16.0.0/16

     

    Site A Unicast Rule:

    Dest IP/Subnet: 172.16.0.0/16

    Gateway:

    Interface: reds3-172.16.48.105

    Distance: 0

     

    Site B Unicast Rule:

    Dest IP/Subnet: 192.168.0.0/16

    Gateway:

    Interface: reds3-192.168.1.1

    Distance: 0

     

    I have LAN/VPN->LAN/VPN rules already setup. I still can't seem to get beyond my firewall (and the remote firewall responds in <1ms so I don't think it actually is being hit).

    EDIT: I confirmed that the firewall replying is in fact the local firewall when pinging the remote firewall IP.

  • 0 in reply to DevonNoonan

    Is the compression enabled on red configuration?

    Thanks

  • 0 in reply to DevonNoonan

    Devon,

    without a proper network diagram I cannot say if it is correct. Also gateway is missing from your configuration. I have sent you a PM to help you!

    :-)

  • +1 in reply to lferrara

    To recap:

    1. Make sure to create the RED Server on one XG and choose a network/subnet that does not exist (192.168.10.1/24 for example) and choose the zone (create a proper zone is recommended)
    2. Download the configuration from the first XG
    3. Upload the RED config on the XG acting as RED Client
    4. Insert the XG Server public IP/Hostname
    5. Insert an available IP that matches with Network IP/Subnet choosen on point 1 (192.168.10.2/24 for example)
    6. Create unicast route on XG acting as Server where destination is XG Client LAN with proper subnet using 192.168.10.2 as gateway on REDinterface
    7. Create unicast route on XG acting as Client where destination is XG Server LAN with proper subnet using 192.168.10.1 as gateway on REDinterface
    8. Create LAN to LAN Policy Rules or the proper zones used during step 1 and 2
    9. Use the command: system route_precedence show to show the current default precedence
    10. Use the command to change point 9 to: system route_precedence set policyroute static vpn
    11. Ping a remote device beyond the red tunnel

    That's all!