This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static route

Hi Everyone,

Does any know or have done configure static route for incoming 0.0.0.0 --> Internal from GUI or command without need to define every segment network that required access the internal network behind Sophos UTM.

Below is Sophos UTM deployment that I plan for customer, appreciate if you guys can advice or guide me to solve this issue. Thanks[:S]

Sophos UTM Deployment Network Information
1. HQ to Branch connection :
    -Telco lease line 512k

2.HQ (Palo Alto):
   -HQ Firewall  (WAN IP 10.81.201.30 GW 10.81.201.10)
   -Static route (Interface Route 0.0.0.0 GW10.81.201.10)

3.Branch (Sophos UTM220):
  -Branch Firewall (External IP 10.61.201.30 GW 10.61.201.10)(Internal IP 10.61.1.10)
  -Masquerading NAT (Internal -> External)
  -Firewall rule (ANY-ANY)

This thread was automatically locked due to age.

0 Azwan over 12 years ago in reply to BarryG

Hi All,

Sorry for late reply. I would like to post the logs however there is no incoming traffic from external only outgoing and that also confused me why there is no incoming traffic at all even after reset factory setting and reconfigured back the unit[:S].

Im still waiting for customer feedback if the leased line router have any routing that might cause the problem since HQ only have 1 firewall static routing (0.0.0.0--> branch) Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

Do you confirm that the sites are directly connected and that there is no VPN established between the Palo Alto and the UTM? Please [Go Advanced] below and attach a picture of your Interface definitions in the UTM.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Azwan over 12 years ago in reply to BAlfson

Hi Bob,

As requested. Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

Pinging is regulated on the 'ICMP' tab of 'Firewall'.

In your Firewall rule, delete both of the "Internet" objects, and just use one "Any" object.

You should not need any Static Routes. All traffic not in 192.168.0.0/24 or 10.61.1.0/24 will be routed to 10.61.201.10 by routing automatically created by WebAdmin.

Any different results?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Azwan over 12 years ago in reply to BAlfson

Hi Bob,

Nope....same results as mention on previous post even after factory reset and configure fw rule any2any still have same results
Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

If you didn't configure pinging on the 'ICMP' tab, then your test with pings will fail. What other test have you tried?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 12 years ago

Hi,
I'd recommend running tcpdump on each firewall to verify that the packets are leaving the HQ on the correct interface, and also see if they are arriving at the branch office's external interface.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Azwan over 12 years ago in reply to BarryG

Hi Bob,

all is enable in ICMP option but still failed.

Hi Barry,

Im still pending customer feedback to set schedule will run tcpdump on next visit will post the result.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

Does the Palo Alto have routes and firewall rules for 192.168.0.0/24 and 10.61.1.0/24, and are you certain that the Palo Alto doesn't already use one of those range for something else?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel