Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 16798 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED site to site (XG 135 to XG 330) with FULL tunnel

Daniel Campbell

I am looking to set up a RED site to site (XG 135 to XG 330) with FULL tunnel.  I found instructions for doing this on a UTM:

https://community.sophos.com/kb/en-us/120263

However, I cannot figure out how to do this on the XG.

RED on Client (192.168.88.0/24):

FW rules on RED Client:

 

RED on Server (xxx.yyy.151.0/24):

FW Rules on RED Server:

If I set up RED/static routes per:

https://community.sophos.com/kb/en-us/125101

I can ping/tracert from Client network to Server network over the tunnel however, pings/tracert to other networks are not routed thru the tunnel.

Also ping/tracert from Server network to Client network fail at the XG.  I can ping the XG however, pings to nodes on the client network fail.

Also ping/tracert from other networks to client/XG network fail.

Thanks,

Daniel



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to lferrara

    Luk,

    Thank you for the assist.

    I have my set up configured that way.

    I can:

    ping the Client XG from the Server network.

    ping nodes on the Server XG from the Client network.

    Trace route to nodes on the Server XG network thru the tunnel.

    I cannot:

    ping nodes on the Client XG network from the Server XG network.

    Trace Route to nodes outside the Server XG network thru the tunnel.  The route is not thru the tunnel.

    What I am looking for is setting up the XG 135 to be like a RED 10/15/50 with the Operation Mode of "Standard/Unified" so that all traffic is routed thru the tunnel, not just networks specified in the "Static Routing" list.  And be able to communicate with the Client XG network from the Server XG network.

    Thanks,

    Daniel

Children
  • 0 in reply to Daniel Campbell

    Daniel,

    did you try to add the 0.0.0.0/0.0.0.0 static route on the XG acting as Client? I am not sure XG will allow to add this route.

    , is the configuration Daniel is asking for achievable?

    Thanks

  • 0 in reply to lferrara

    Luk,

    Yes I tried that and that breaks the connection.

    Pings to 192.168.30.10 (RED Server XG) & xxx.yyy.151.99 (node on Server XG) fail.

    Thanks,

    Daniel

  • 0 in reply to lferrara

    Hi Luk,

    I have the same issue.

    After add the static route 0.0.0.0/0 on client site XG,

    I can go out through Server site with RED tunnel.

    But it just works few seconds, and then the 0.0.0.0/0 static route broken the RED tunnel, client site user can't go to anywhere...

    I already open a case ID:7799882, hope support team can help me to verify if it possible to set the RED full tunnel on XG.

    Shunze

  • +1 in reply to ShunzeLee

    Instead of setting a 0.0.0.0 route, why not create a gateway for the RED interface.

    Then you can simply write a rule to force all traffic destined for WAN zone out that gateway.  I use XG appliances at branches in this manner to force all traffic out the central firewall (similar to a RED std/unified).

    Daniel,

    What do your routes looks like?  The concept is pretty simple in that we setup our zones, RED interfaces, firewall rules, and routes.  If traffic isn't flowing in one direction or the other, it's usually from a route or firewall rule.

    Thanks,

    John

  • 0 in reply to axsom1

    Hi John,

    After create a policy route to replace 0.0.0.0/0 static route, it works~

    Thank you~