Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 32960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to route traffic from Sophos XG in Azure to Internet or VPN

Mark H

I have a Sophos XG Virtual Appliance in Azure. I am unable to route Internet traffic from my Windows VM in Azure.

I also have an on prem XG 230 with VPN established to the Sophos XG in Azure. My laptop can reach the Windows VM's fine. Once RDP'd, I'm unable to ping from the VM to the outside world or over the VPN to my on-prem local network. My Windows VM can ping another Windows VM in Azure fine. It's also able to ping the XG Virtual Appliance fine.

My Azure config looks like this:

Virtual network 10.10.0.0/16

Subnets:

Default 10.10.0.0/24 - used for Port B of XG

LAN 10.10.1.0/24 - used for Port A of XG

Servers: 10.10.10.0/24 - used for Windows VMs.

I have a route 10.10.10.0/24 to virtual appliance 10.10.1.10 (XG port A) assigned to subnet "Servers".

Any help would be appreciated.

 

Also - packet capture of XG Virtual Appliance shows Violation - Incoming_Traffic. Ports 65001,650...



This thread was automatically locked due to age.
Parents
  • 0

    Have you configured firewall rules between your LAN and VPN zones at both ends?

  • 0 in reply to DavidOkeyode

    DavidOkeyode said:
    Have you configured firewall rules between your LAN and VPN zones at both ends?

    I got it working. Needed to add a route on the XG to talk back to Azure VNet.

  • 0 in reply to Mark H

    Can you convey what you did specifically?

  • 0 in reply to erickasper

    erickasper said:

    Can you convey what you did specifically?

     

    Originally in Azure, I had the routes as (ex) 10.0.5.0/24 to Virtual Appliance 10.0.1.4. While it allowed my VM's to reach the XG, it didn't pass Internet traffic through it. So I had to change the 10.0.5.0/24 to 0.0.0.0/0 and force route all traffic to the XG. This got my VM's working, but my on premise network wouldn't work.

    So I had to setup a route in XG in Azure to point back to the subnet 10.0.5.0/24. Reason being, my XG only had 3 NIC's, WAN 10.0.0.0/24, LAN 10.0.1.0/24, and DMZ 10.0.2.0/24 but I had additional subnets that weren't defined in XG. Since Azure doesn't support VLANs, there was no way for me to add these extra networks otherwise.

  • 0 in reply to Mark H

    Thanks for the superfast reply.  I understand the whys, just asking what you did and how you set up a route on the XG to point to your 10.0.5.0/24 subnet.  Did you just add a static route to the LAN interface with no gateway?

  • 0 in reply to erickasper

    erickasper said:

    Thanks for the superfast reply.  I understand the whys, just asking what you did and how you set up a route on the XG to point to your 10.0.5.0/24 subnet.  Did you just add a static route to the LAN interface with no gateway?

     

     

    In XG (on Azure), go to Configure -> Routing -> Static Routing -> IPv4 Unicast Route -> Add

    Enter the Destination IP (subnet in Azure), select interface (LAN), and enter your gateway. I left Distance at 0

  • 0 in reply to Mark H

    That's what I am asking :)  What are you using as your gateway on the LAN side?

  • 0 in reply to erickasper

    erickasper said:

    That's what I am asking :)  What are you using as your gateway on the LAN side?

     

    It's the gateway that Azure itself uses for your interface on XG.

     

    So if your XG has

    LAN - 10.0.1.0/24 and it's using IP 10.0.1.4

    DMZ- 10.0.2.0/24 and it's using IP 10.0.2.4

    And you have a 10.0.5.0/24 network to reach the LAN, you'd do

    DEST: 10.0.5.0 255.255.255.0

    GW: 10.0.1.1

    Int: Port B, 10.0.1.1

     

    If you want that subnet to reach DMZ, you'd do

    DEST: 10.0.5.0 255.255.255.0

    GW: 10.0.2.1

    Int: Port C, 10.0.2.1

     

    Edit:

    Basically, Azure is doing all the network communication, so I had to figure out how the XG can pass/route the packets to and from the Azure VNet.

    I'm not a network engineer but have some knowledge of how networks and subnets work. Unfortunately, Sophos support wasn't able to help me at all with this so it was more time consuming to get it working. Maybe the three people I called weren't familiar, but then again, they should have a dedicated Azure/AWS team to pass the call to.

  • 0 in reply to Mark H

    Perfect!  I was missing the what the gateway actually was (.1)

  • 0 in reply to erickasper

    erickasper said:

    Perfect!  I was missing the what the gateway actually was (.1)

     

     

    Yup, Sophos needs better docs on how to deploy XG in Azure

  • 0 in reply to Mark H

    I have a similar networking condition in Azure and believe I could be close based on what I am reading. As it stands, I can ping/access web admin from the Azure VM but not the reverse. Meaning I cannot ping the Azure VM from the XG. Packet cap shows the ICMP traffic exiting Port B (and not Port A). This is my configuration. (Azure support has been more helpful than Sophos)

    Azure virtual network

    10.2.0.0/24

    Subnets

    Port B 10.1.0.0/24

    Port A 10.1.1.0/24

    Servers 10.1.2.0/24

    1 VM 10.1.2.4

     

    Static Route

    Dest. 10.1.2.0

    Gateway 10.1.1.1

    Interface Port A - 10.1.1.4

    Distance: 0

     

    I went so far as to try and adjust the route precedence in the XG so that Static Routes are 1 but even that failed.

     

    Goal: Have all traffic (in/out) route and protect the VM. SSL VPN then RDP, etc.

     

    Any help would be appreciated!

  • 0 in reply to TimAlbertson

    Have you configured your UDRs and NSGs correctly? Please refer to this video - www.youtube.com/watch

Reply Children
No Data