Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 11450 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Azure XG can't route to Azure VM

TimAlbertson

I have networking condition in Azure and believe I could be close based on what I've been reading. As it stands, I can ping/access the Sophos Azure XG from the Azure VM but not the reverse. Meaning I cannot ping the Azure VM from the XG. Packet cap shows the ICMP traffic exiting Port B (and not Port A). This is my configuration. (Azure support has been more helpful than Sophos)

Azure virtual network

10.2.0.0/24

Subnets

Port B 10.1.0.0/24

Port A 10.1.1.0/24

Servers 10.1.2.0/24

1 VM 10.1.2.4

 

Static Route

Dest. 10.1.2.0

Gateway 10.1.1.1

Interface Port A - 10.1.1.4

Distance: 0

 

I had trouble adjusting route precedence in the XG so that Static Routes are 1.

 

Goal: Have all traffic (in/out) route and protect the VM. SSL VPN then RDP, etc.

 

Any help would be appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    I am having the same problem. Traffic from the VPN to the LAN is fine but trying to access or ping a VM on Azure from LAN fails. It seems to me there is a route missing and I am not sure of the proper way to add it. They way Sophos handles static routes is a bit confusing with their requirements.

  • 0 in reply to MSD Admin

    Hi MSD admin,

    Routing for Azure isn't too hard, but it can be a bit unintuitive.

    You'll want to start by adding a static route on the XG Firewall that points the destination subnet of your traffic (even if it is inside the same vNet) at the gateway IP in the XG's LAN adapter network range (by default Azure assigns the .1 address for the gateway).

    Next, you'll need to make sure the destination network knows how to reach the subnet used by your VPN clients.
    So you'll need to create a User Defined Route table in Azure, associate your destination subnet with it and then add a route that points traffic destined for the subnet used by your VPN clients at a virtual appliance - with the XG Firewall's LAN IP as the next hop.

    From there, all that's left to do is create a firewall rule that allows the traffic (between the VPN zone and the LAN zone).

    You can find a tutorial on how to create a UDR here: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal 

Reply
  • 0 in reply to MSD Admin

    Hi MSD admin,

    Routing for Azure isn't too hard, but it can be a bit unintuitive.

    You'll want to start by adding a static route on the XG Firewall that points the destination subnet of your traffic (even if it is inside the same vNet) at the gateway IP in the XG's LAN adapter network range (by default Azure assigns the .1 address for the gateway).

    Next, you'll need to make sure the destination network knows how to reach the subnet used by your VPN clients.
    So you'll need to create a User Defined Route table in Azure, associate your destination subnet with it and then add a route that points traffic destined for the subnet used by your VPN clients at a virtual appliance - with the XG Firewall's LAN IP as the next hop.

    From there, all that's left to do is create a firewall rule that allows the traffic (between the VPN zone and the LAN zone).

    You can find a tutorial on how to create a UDR here: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal 

Children
No Data
Cookie Information Banner