Trying to narrow down the issue - New Setup

Question

Recently deployed UTM9 on a VM (So I think its Astaro Gateway Software) 9.403-4 and was having issue contacting anything outside of the local network. The setup is as follows WAN->ASA 5500-> Sophos UTM->Default Gateway->Network. With this setup were just looking to use the Web Filtering and Endpoint Protection while keeping the ASA for packet filtering and network protection. In this line of thinking I created a rule in the firewall for any->any->any->allow. 
 When deployed over the weekend I saw traffic going into the inside interface and the external interface but was still having issues contacting anything outside our network. Looking at the firewall logs I'm seeing a ton of 60003 and some 60001(these just seem to deal with our internal DNS) like whats shown below. 
 2016:06:04-14:02:59 acu-utm ulogd[4378]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:04:87:00" srcip="23.212.31.89" dstip="192.168.6.23" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="57331" tcpflags="RST" 2016:06:04-14:02:59 acu-utm ulogd[4378]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:04:87:00" srcip="173.252.88.163" dstip="192.168.4.108" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="52854" tcpflags="RST" 2016:06:04-14:02:52 acu-utm ulogd[4378]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="00:15:5d:04:87:00" srcip="192.168.0.50" dstip="192.168.3.17" proto="1" length="76" tos="0x00" prec="0xc0" ttl="64" type="3" code="0" 
 That is about 90% of the packets being dropped but I'm not entirely sure what it means or why its happening. The ASA does the NAT translation so all the UTM should need to do is pass the packets onto the internal computers but it doesn't seem to be doing that. So I then took a look at the ASA log and saw most lines similar to whats shown below. 
 
 4 Jun 04 2016 14:36:03 313005 No matching connection for ICMP error message: icmp src inside:192.168.0.49 dst outside:173.252.88.162 (type 3, code 1) on inside interface. Original IP payload: tcp src 173.252.88.162/443 dst 192.168.4.108/44746. 4 Jun 04 2016 14:36:03 313005 No matching connection for ICMP error message: icmp src inside:192.168.0.49 dst outside:173.252.89.130 (type 3, code 1) on inside interface. Original IP payload: tcp src 173.252.89.130/443 dst 192.168.4.108/50360. 
 This leads me to believe that the packets source ip is getting changed from the internal client IP to the UTM interface which is causing the firewall to drop everything due to mismatches. I feel like the answer is probably setting up NAT but I'm not entirely sure what option I'm looking for. They all seem to want to change the source ip, when I want to preserve the source IP and not have it changed to my external interface IP (which is the 192.168.0.49) 
 I should also note I do have some standard support time, and have already scheduled a call to assist in the setup, but wanted to do as much legwork beforehand as possible.

sachingurung · Accepted Answer

Hi Bob, 
 Deploy UTM in bridge mode and use Web protection in Full transparent mode(i.e., bridge mode). Please refer the following links: 
 https://www.sophos.com/en-us/support/knowledgebase/121532.aspx 
 www.sophos.com/.../119360.aspx 
 Thanks