We have a remote site connected to a hub, that is connected to another remote site. All using Sophos UTM 110 and/or ASG220
10.80.x.x is connected to 10.140.x.x via a RED tunnel, and 10.140.x.x is connected to 10.120.x.x via an ipSEC tunnel
Firewall rules automatically created.
10.80.x.x----RED------10.140.x.x---ipsec -----10.120.x.x
On the 10.120 network we have a Sophos that is running the mail filtering.
Users on the 10.80 network can not get to the quarantine report.
When trying they get a default FW rule block 60001 10.80.x.x:52832 --> 10.120.x.x:3840
I can manage the 10.120.x.x Sophos from 10.80.x.x and can also ping it.
Also we have quite a few more "hubs" that go through 10.140.x.x to get to the Sophos Mail Manager on 10.120.x.x and they work just fine. This is the only one behaving like this, but it is also the only one using the RED protocol. Not sure why they are using the RED protocol for this site. I inherited this one.
Having read about the default rule 60001 ( https://www.sophos.com/en-us/support/knowledgebase/115029.aspx) And understand that NAT comes first, the VPN, then the FW rules. Still not sure where to go with this. If I need to add a NAT rule, not sure how to configure it as I would be translating it to itself.
For giggles I added a specific FW rule to allow traffic inside 10.80.x.x using port 3840 going to 10.120.x.x As expected, no change.
"The UTM cannot forward traffic that is sent to a Masqueraded WAN IP address unless it was requested by a client behind the UTM, or there is a NAT rule to redirect the traffic to an internal server (with the exception of services running on the UTM itself). " - All traffic is a client behind the UTM, and there are no NAT rules.
"Most of the time, fwrule="60001" means that you need to configure a NAT rule (likely DNAT), or review the configuration of your existing NAT because the packet is not matching the intended rule. " - We do not have any NAT Rules.
Thanks in advance
This thread was automatically locked due to age.
