Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 15268 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN Site to Site is Active, Services set to ANY but both end computer is not PINGING with each other (SG - XG)

Proudmore

Hi Sophos Community

Good Day

This is the scenario

SG is the branch office and XG is the HQ

The tunnel between SG and XG is active but you cannot ping any of the end computer on both sides. Both parties Firewall rule SERVICES are set to ANY

ON SG FWALL please refer to screenshot

 

 

UNDER XG FWALL please refer to this

 



This thread was automatically locked due to age.
Parents
  • 0

    Kunkka, You're close...

    I'm not familiar with XG, so my specific instructions will concern only WebAdmin and the UTM.  Having said that, your configuration looks correct for the XG side of the tunnel.

    If you want the all members of "Internal (Network)" to be able to reach the two IPs behind the XG, DO NOT select 'Strict routing' in the IPsec Connection.   You also will need a NAT rule:

    SNAT : Internal (Network) -> Any -> {Group with two remote hosts} : from {192.168.254.100}

    From your explanation, it doesn't sound like you need/want a similar rule in the XG

    Note that the "Any" Service only includes TCP and UDP.  It does NOT include any other IP Protocols.  I don't know if the same is true in the XG.

    Pinging is regulated on the 'ICMP' tab of 'Firewall'.  If you still see a ping blocked in the firewall log, you will need to make an Allow rule using the "Ping" service object.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Sir BAlfson,

    Good day

    Can you help me determine what are the network objects to put in SNAT Rule under UTM 9.

    Matching Condition

    For traffic from:  192.168.254.100
    Using Service:any
    Going to: 10.10.11.71 and 192.168.100.2

    Action:

    Change the source to: 173.225.x.x
    And the service to: any

     

    Summary config

    XG Firewall

    Public IP: 119.93.x.x

    Local Hosts: 10.10.11.71 and 192.168.100.2

    SG Fwall

    Pub IP: 173.225.x.x
    Local Host: 192.168.254.100

    Thank you Sir

  • 0 in reply to Proudmore

    Everything looks correct except:

    Change the source to: 192.168.254.100

    (not 173.225.x.x)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Sir BAlfson,

    Good Day


    For traffic from:  192.168.254.100

    is the same AS

    and change the source to: 192.168.254.100

     

     

    PS
    Please accept by deepest thanks for accommodating my questions 

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?