Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 4543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assigning outside IP's to devices on the network

svk253

Hello,

Here's the situation. We have a range of IP's assigned to us from our ISP but only one internet connection.
We switched from a Cisco ASA 5500 to the Sophos UTM. Previously, we could put devices on their own VLAN, let's say VLAN 10, and that would be our 'outside' vlan. We could then take any device and give it a public IP and it would get Internet access. It was as if the device was outside of our network. It was useful for troubleshooting, but beyond that we had a third party device that established a VPN tunnel that way, that we can't get to work.

I tried adding additional addresses and then opening up the rules for it on the firewall side, but it's like it can't get an outgoing connection, just incoming, no matter what I try.

Support has been struggling to come up with something to get this to work, and so far we are stuck. Some ideas included multipath rules and setting up different NAT scenarios...but, there is no internal IP for it to translate to, it's simply a device with a public IP and our ISP's gateway. 

On the ASA, it was as if you could put 2 or 3 ports on the same VLAN like a switch and things just..worked. Our 'outside' interface had 3 ports associated with it. I am admittedly not familiar with how its logic or if it created special rules in the background to allow this to work. But, the UTM does not appear to function that way.

Is this even possible with the UTM?
Please let me know if you need more info or clarification. It has not been easy explaining exactly what we need so far!



This thread was automatically locked due to age.
Parents

  • Hi, Sandra, and welcome to the UTM Community!

    Sorry if I rain on your parade... The answer is yes, solving these problems is possible.  However, it sounds like no one knowledgeable about WebAdmin has designed your configuration.  The UTM is capable of very elegant, very powerful configurations that are easy to administer and modify.  I've seen more than one that was configured by a talented CCIE that required more work of me to fix than if I'd configured it in the first place.

    That Support hasn't been able to help you with this initial configuration is no surprise - it's not their mission.  If your reseller doesn't have strong experience, you should contact Sophos Sales to give you a recommendation.  I wish you luck in getting some talented assistance.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi BAlfson,


    Thank you for your reply.
    We did pay for Sophos professional services to have our UTM replace our Cisco ASA, that is done.
    They cannot help us figure out this particular issue. We can't get the UTM to behave the same way and share multiple IP's on one interface using VLAN's.

    We are considering putting a switch between our UTM's public interface and our ISP and having that do the work of using a VLAN for multiple IP's on the same link. Do you know if that makes sense or is even necessary?

    Thanks
    Sandra

  • in reply to svk253

    That's good news, Sandra, about Sophos.

    Without looking inside to see what's really happening, I wouldn't hazard a guess about adding the switch.

    If what you are trying to do is to bridge two separate segments for a single VLAN while not doing so for all VLANs on the bridge, then that's not possible inside WebAdmin, and you would compromise your support agreement if you did it on the command line.

    I wonder if you couldn't approach this differently...  Have your ISP route your additional addresses to the address on your External interface.  Create a "public DMZ" internally on VLAN 17 (for example) and simply make firewall rules allowing the traffic you want to allow.  Remember that the UTM firewall is stateful, so you need only allow requesting traffic, the response traffic will be allowed automatically by conntrack.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks again, I'll check with our ISP about the routing part. The thing is, we were able to have multiple IP's on our outside interface when it was on the Cisco ASA. The ISP didn't change anything when we moved to the UTM.

    I guess this creates another question if you wouldn't mind..

    I did play with firewall rules for allowing traffic to the public IP I need, and it's like it lets things IN but not out. If I take a laptop and plug it into our public VLAN and give it a public IP it can't get out to the internet, but things can ping it. The issue is a VPN tunnel needs to establish over this public IP and it can't because it's like the internal device with the public IP can't access the internet at all.

  • in reply to svk253

    Pinging is regulated on the 'ICMP' tab of 'Firewall'.

    The first thing to do is to get the ISP to route traffic instead of having its last-hop router ARPing for the public IPs on your public DMZ.  Then, I suspect that the first item in #3.1 in Rulz is being violated.

    You can have Additional Addresses on your External interface, but the subnet on the External interface must not conflict with the subnet in you public DMZ.

    You will have a PM in a few minutes.

    EDIT 20 minutes later: WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  In specific, WebAdmin creates routes automatically based on the subnets assigned on its interfaces.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • in reply to svk253

    Pinging is regulated on the 'ICMP' tab of 'Firewall'.

    The first thing to do is to get the ISP to route traffic instead of having its last-hop router ARPing for the public IPs on your public DMZ.  Then, I suspect that the first item in #3.1 in Rulz is being violated.

    You can have Additional Addresses on your External interface, but the subnet on the External interface must not conflict with the subnet in you public DMZ.

    You will have a PM in a few minutes.

    EDIT 20 minutes later: WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  In specific, WebAdmin creates routes automatically based on the subnets assigned on its interfaces.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML