Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 2692 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help configuring XG to support AT&T VPN gateway in DMZ

AndrewGunnesch

I have attempted my first XG configuration to put an AT&T VPN gateway (IPsec, I believe) with an extensive set of required management rules into a DMZ.

XG DMZ interface is 10.255.168.1, VPN gateway WAN interface is 10.255.168.2

First off I am unable to ping the XG interface from the VPN gateway; the VPN gateway believes that it has no internet connectivity and won't go online.

I am not sure how to log the traffic to diagnose if things are configured correctly and if so to troubleshoot the rules that I have written.  Any guidance one can offer would be appreciated.

Fullscreen 0118.netgate_firewall_requirements.txt Download 
Port    Protocol   Direction     Address          Application                    NetGate Code version
 
        ESP(50)    in/out        Any (Tunnel      IPSEC                          All
                                 Server IPs)
 
   9    UDP,TCP     out          12.67.1.68       Bandwidth tests (CoS) (US)
                                 32.114.25.44      �           �        (AP)
                                 32.112.48.164      �           �        (EMEA)
 
At least one time server address should be permitted, preferably multiple addresses for redundancy.
  13    TCP        in/out        208.66.175.36     STP (Simple Time Protocol)     1.5+
                                 207.200.81.113
                                 206.246.118.250
                                 198.60.73.8
                                 192.43.244.18
                                 173.14.47.149
                                 132.163.4.103
                                 132.163.4.102
                                 132.163.4.101
                                 131.107.13.100
                                 129.6.15.29
                                 129.6.15.28
                                 128.138.188.172
                                 128.138.140.44
                                 69.25.96.13
                                 68.216.79.113
                                 64.236.96.53
                                 64.147.116.229
                                 64.125.78.85
                                 64.113.32.5
                                 64.90.182.55   
                              
       ICMP type20 out           129.37.4.131      Proactive Monitoring (US and AP)
                                  129.37.4.71         �         �       (US)
                                  165.172.132.76  Proactive Monitoring (Canada)   
                                  32.112.12.83   Proactive Monitoring (EMEA)
                                  32.112.12.51       �         �
 
       ICMP type21 in            129.37.4.131      Proactive Monitoring (US and AP)
                                  129.37.4.71        �          �
                                  165.172.132.76  Proactive Monitoring (Canada)   All
                                  32.112.12.83   Proactive Monitoring (EMEA)
                                  32.112.12.51      �          �
 
  20    TCP        in            165.87.194.246   FTP Data for Code Updates      All
                                 165.87.194.243
  
  21    TCP        out           165.87.194.246   FTP for Code Updates           All
                                 165.87.194.243
  
  22    TCP        in            129.37.4.0/24   SSH Remote Management            All
                                                              
  53    UDP         out           ISP and AT&T DNS WAN connectivity test/dns_ping  1.6+
 
 443    TCP        in            129.37.4.0/24   HTTPS Remote Management        All
                                  ** Customer specific or 3rd party support subnets may need to be added **                           
   
 500    UDP        in/out        Any (tunnel      IPSec ISAKMP negotiaion        All
                                      Server IPs)
 
4500    UDP         in/out        Tunnel server IP    NAT-T (when ESP protocol 50 is blocked � added in v5.2.600)
 
5080    TCP        out           204.146.172.225  RIG/SVCMGR - Auth.             All
                                 204.146.166.105       "
                                 204.146.172.226       "
                                 204.146.219.1         "
                                  204.146.172.230      �
                                  204.146.166.107      �
                                 (Or see Global RIG List)
 
5081    UDP        in/out        204.146.172.225  RIG Query                      Pre-1.4
                                 204.146.166.105       "
                                 204.146.172.226       "
                                 204.146.219.1         "
                                  204.146.172.230      �
                                  204.146.166.107      �
                                 (Or see Global RIG List)
 
8080    TCP        in            129.37.4.0/24    Secure Support Interface       v1.5 through v5.3
 
9920    TCP        in/out        144.160.245.70    Remote Access Repository       All
                                 129.37.0.113
                                  32.97.118.242    (removed from service)



This thread was automatically locked due to age.
  • 0
    This is my (likely horrible) attempt at implementing the rules.
     
    ICMP
    [ ID : 2 ]
    in 0 B, out 0 B
     
    LAN, DMZ
    Any Host
    Any Live User
    Any Zone
    Any Host
    ICMP
    Accept
     
     
    Netgate - ESP out
    [ ID : 19 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    Any Host
    ESP
    Accept
     
     
    Netgate - ESP in
    [ ID : 3 ]
    in 0 B, out 0 B
     
    WAN
    Any Host
    Any Live User
    DMZ
    Netgate
    ESP
    Accept
     
     
    Netgate - Bandwidth
    [ ID : 4 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    12.67.1.68
    discard
    Accept
     
     
    Netgate - Daytime out
    [ ID : 5 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    STP hosts
    daytime
    Accept
     
     
    Netgate - daytime in
    [ ID : 6 ]
    in 0 B, out 0 B
     
    WAN
    STP hosts
    Any Live User
    DMZ
    Netgate
    daytime
    Accept
     
     
    Netgate - monitoring out
    [ ID : 7 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    Netgate monitoring hosts
    type20
    Accept
     
     
    Netgate - monitoring in
    [ ID : 8 ]
    in 0 B, out 0 B
     
    WAN
    Netgate monitoring hosts
    Any Live User
    DMZ
    Netgate
    type21
    Accept
     
     
    Netgate - FTP
    [ ID : 9 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    Netgate FTP hosts
    FTP
    Accept
     
     
    Netgate - FTP data
    [ ID : 10 ]
    in 0 B, out 0 B
     
    WAN
    Netgate FTP hosts
    Any Live User
    DMZ
    Netgate
    ftp-data
    Accept
     
     
    Netgate - DNS
    [ ID : 11 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    Any Host
    DNS
    Accept
     
     
    Netgate - Remote Management
    [ ID : 12 ]
    in 0 B, out 0 B
     
    WAN
    Netgate remote management
    Any Live User
    DMZ
    Netgate
    HTTPS, SSH, HTTP-8080
    Accept
     
     
    Netgate - isakmp out
    [ ID : 13 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    Any Host
    isakmp, nat-t
    Accept
     
     
    Netgate - isakmp in
    [ ID : 14 ]
    in 0 B, out 0 B
     
    WAN
    Any Host
    Any Live User
    DMZ
    Netgate
    isakmp, nat-t
    Accept
     
     
    Netgate - RIG out
    [ ID : 15 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    Netgate RIG hosts
    RIG/SVCMGR - Auth, RIG Query
    Accept
     
     
    Netgate - RIG in
    [ ID : 16 ]
    in 0 B, out 0 B
     
    WAN
    Netgate RIG hosts
    Any Live User
    DMZ
    Netgate
    RIG Query
    Accept
     
     
    Netgate - RAP out
    [ ID : 17 ]
    in 0 B, out 0 B
     
    DMZ
    Netgate
    Any Live User
    WAN
    Netgate remote access repository
    Netgate remote access rep...
    Accept
     
     
    Netgate - RAP in
    [ ID : 18 ]
    in 0 B, out 0 B
     
    WAN
    Netgate remote access repository
    Any Live User
    DMZ
    Netgate
    Netgate remote access rep...
    Accept
     
  • 0 in reply to AndrewGunnesch

    Andrew,

    long list of things. At which steps you stuck? DMZ and WAN are sharing the same network/subnet.

    Let us know.

    Thanks

  • 0 in reply to lferrara

    Sorry that I wasn't clear; the VPN gateway could not communicate onto the internet, nor could I ping the DMZ interface on the XG from it (or vice-versa).  The netgate would not attempt to connect since it could not contact the gateway.

    So, to start with, I need to be able to troubleshoot the connectivity between the XG and the VPN gateway.  When I plugged the gateway into the XG, the interface status changed and negotiated to 1000/full, which was expected.  But no pings.  I double-checked the interface configurations as well...

    What's the best way to go about troubleshooting this?