Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 43996 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static route

Azwan
Hi Everyone,

Does any know or have done configure static route for incoming 0.0.0.0 --> Internal from GUI or command without need to define every segment network that required access the internal network behind Sophos UTM.

Below is Sophos UTM deployment that I plan for customer, appreciate if you guys can advice or guide me to solve this issue. Thanks[:S]

Sophos UTM Deployment Network Information
1. HQ to Branch connection :
    -Telco lease line 512k
 
2.HQ (Palo Alto):
   -HQ Firewall  (WAN IP 10.81.201.30 GW 10.81.201.10)
   -Static route (Interface Route 0.0.0.0 GW10.81.201.10)
 
3.Branch (Sophos UTM220):
  -Branch Firewall (External IP 10.61.201.30 GW 10.61.201.10)(Internal IP 10.61.1.10)
  -Masquerading NAT (Internal -> External)
  -Firewall rule (ANY-ANY)


This thread was automatically locked due to age.
  • 0 in reply to BarryG
    Hi All,

    Sorry for late reply. I would like to post the logs however there is no incoming traffic from external only outgoing and that also confused me why there is no incoming traffic at all even after reset factory setting and reconfigured back the unit[:S]. 

    Im still waiting for customer feedback if the leased line router have any routing that might cause the problem since HQ only have 1 firewall static routing (0.0.0.0--> branch) Thanks
  • 0
    Do you confirm that the sites are directly connected and that there is no VPN established between the Palo Alto and the UTM?  Please [Go Advanced] below and attach a picture of your Interface definitions in the UTM.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Pinging is regulated on the 'ICMP' tab of 'Firewall'.

    In your Firewall rule, delete both of the "Internet" objects, and just use one "Any" object.

    You should not need any Static Routes.  All traffic not in 192.168.0.0/24 or 10.61.1.0/24 will be routed to 10.61.201.10 by routing automatically created by WebAdmin.

    Any different results?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    Nope....same results as mention on previous post even after factory reset and configure fw rule any2any still have same results
    Thanks
  • 0
    If you didn't configure pinging on the 'ICMP' tab, then your test with pings will fail.  What other test have you tried?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi,
    I'd recommend running tcpdump on each firewall to verify that the packets are leaving the HQ on the correct interface, and also see if they are arriving at the branch office's external interface.

    Barry
  • 0 in reply to BarryG
    Hi Bob,

    all is enable in ICMP option but still failed.

    Hi Barry,

    Im still pending customer feedback to set schedule will run tcpdump on next visit will post the result.
  • 0
    Does the Palo Alto have routes and firewall rules for 192.168.0.0/24 and 10.61.1.0/24, and are you certain that the Palo Alto doesn't already use one of those range for something else?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner