Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 579 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S Sophos XG to Cisco asa unable to resolve host URLs

Rafa

Dear Support,

New Guy here with Sophos solutions, hopefully you can help with this issue.

A few weeks ago trying to figure out why cannot reach some URLs after setting up a S2S IPsec tunnel successfully between two different companies.

S2S is up and running, Local service ACL enable for VPN zone (DNS), VPN Firewall rules for the connection also troubleshooted successfully, but not able to reach the purposed URLs for the connection.

Device: XG230 (SFOS 18.0.5 MR-5-Build586)

Policy Test Result:

Connection
Test time
16:27:37 Thursday
Destination
http://160.50.254.138
Destination IP
160.50.254.138, port 80, TCP
Source IP
10.105.32.11
Source zone
Auto-detection
User
User unauthenticated
Firewall rule
Outbound_Site_to_Site_VPN_Rule (ID: 8) Accept
Web proxy
Proxy not used
Result
Accepted
Log Viewer:
Firewall
2022-11-03 16:28:17
Firewall Rule
Allowed
11
0
Port3.210
Port1
10.105.32.10
192.168.2.152
50758
81
TCP
Additionally I tried with NAT rules, static routes and sd-wan route, also with no success.
I highly believe that I have ignored any configuration that maybe missing, please let me know if you require any other information.
Thank you in advance,
Rafael.


This thread was automatically locked due to age.
  • 0

    Your policy-test and log-viewer show different sources, destinations and services ...

    Please tell us, which device is unable to reach which service at which other device.

    A short network sketch containing ip addresses would be helpful.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Thanks Dirk for the quick support and response.

    See a high level diagram from what we want to reach:

    Sophos peer address: 87.139.221.216     Cisco peer address: 68.115.224.6

    Source address Sophos: 145.12.130.10 (NATed)   Destination address: 170.34.92.20

    Note: I'm reaching without issues 170.34.92.20, where will show a Citrix Getaway website.

    Then I would like to reach these sites, I suppose behind 170.34.92.20:

    • 160.50.254.138

    • 160.50.77.108

    • 10.8.16.167

    Packet Capture Log:

    2022-11-03 11:02:47
    Port3.210
    ipsec0
    IPv4
    10.105.32.11
    160.50.254.138
    ICMP
    --
    0
    8
    Forwarded
    VPN tunnel traffic
    UNREPLIED
    No category
    0
    No application
    No category
    15798592

    10.105.32.10 is my laptop IP, so Local Lan.

    I will send you a proper diagram and a couple of screenshots from S2S config, as requested by tomorrow.

    Best regards,

    Rafael.

  • 0 in reply to Rafa

    More details may help to correct my confusion...

    .... Your laptop (10.105.32.10) is not placed within the networks listed above

    ... What do you mean with "reach these sites, I suppose behind 170.34.92.20" ... where are these networks placed in routing structure??


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML