Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 3048 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy routing issue with site-to-site VPN subnet

Davidk
I have a site to site VPN configured and functional

0.0.0.0/0=(ASG120) 208.106.32.100 to 67.121.249.3=10.242.5.0/24

All desired internal resources are accessible between the two sites and there are no issues with the VPN itself.

However, I also placed a policy route on the ASG120 to send all VPN traffic into the core network, including internet bound traffic so that it can go through our other appliances before exiting the network via a separate internet firewall.

Policy route as configured is:

Source: 10.242.0.0/16 going anywhere using any service, route to 172.16.10.1 (our internal router)

The observed behavior on the other hand, is that internet bound traffic from our VPN subnet (10.242.5.0/24) gets forwarded out the ASG120's default gateway directly and is not sent into the core network as desired. Is there something I'm missing to make the policy route work?


This thread was automatically locked due to age.
Parents
  • 0
    [;)] I meant the [Go Advanced] button beside the [Post Quick Reply] button below. [:)]

    OK, so the ASG only does firewall and VPN?  In that case, I think you should ask Astaro Support to take a look at your box.  You might try just a simple static gateway route: 0.0.0.0/0 -> 172.16.10.1.

    Wish I could be more help, but it sounds like what you did should work.

    Cheers - Bob
  • 0 in reply to BAlfson
    Thanks for your help.

    Now I get to go tell my government overlords that it was indeed stupid to stop paying random maintenance/support agreements in order to balance their budget. If they want this fixed then they will have to renew. [:)]
Reply
  • 0 in reply to BAlfson
    Thanks for your help.

    Now I get to go tell my government overlords that it was indeed stupid to stop paying random maintenance/support agreements in order to balance their budget. If they want this fixed then they will have to renew. [:)]
Children
No Data