Replacing TMG with a Sophos UTM SG210.

Is there any specific reason, why you do not put your SG 210 directly to the internet, and instead you do the workarround via this ASA? This makes things more complicated. If your only reason is because this networkdesign is as it was before with the TMG, you should think about, whether this networkdesign is still suitable for your current needs.

Furthermore with this design, you do NAT twice (1x on Sophos, 1x on ASA). If you want to keep your Networkdesign as it is, then I would suggest you not to do any NAT on the Sophos. Instead you have to create a Route on your ASA which says:

* Route 10.0.0.0/8 to 192.168.100.3

But this will not solve your Problems. What you're looking for is probably the possibility to allow Incoming Traffic from the Internet. Then, a DNAT would help. see community.sophos.com/.../115145

Hi HuberChristian,

1. Sadly, I can't change the networkdesign, it's a customer network so I can't change anything.

2. I have a problem with the NAT on the Sophos, if I delete/disable the rule my entire LAN can't access internet. Also after connect the SG210 to the ASA, I'm getting a notification from the ASA:

From: "asa_domain@domain.com" <asa_domain@domain.com>
To: XXXXXXXXXXXXXXXXX <XXXXXXXX@domain.com>
Cc:
Bcc:
Date: Fri, 3 Mar 2017 06:13:01 +0000
Subject: ASA Alert (Domain)
<161>Domain %ASA-1-11111: Deny TCP reverse path check from <Y.Y.Y.Y> to <X.X.X.X> on interface Inside

3. I need to allow inbound and outbound traffic with different rules, I try the DNAT on the inbound rules and it worked. I want to bind certain rules to certain users and groups.

Hi HuberChristian,

1. Sadly, I can't change the networkdesign, it's a customer network so I can't change anything.

2. I have a problem with the NAT on the Sophos, if I delete/disable the rule my entire LAN can't access internet. Also after connect the SG210 to the ASA, I'm getting a notification from the ASA:

From: "asa_domain@domain.com" <asa_domain@domain.com>
To: XXXXXXXXXXXXXXXXX <XXXXXXXX@domain.com>
Cc:
Bcc:
Date: Fri, 3 Mar 2017 06:13:01 +0000
Subject: ASA Alert (Domain)
<161>Domain %ASA-1-11111: Deny TCP reverse path check from <Y.Y.Y.Y> to <X.X.X.X> on interface Inside

3. I need to allow inbound and outbound traffic with different rules, I try the DNAT on the inbound rules and it worked. I want to bind certain rules to certain users and groups.

1. Is it you, who is responsible for the Infrastructure at this customer, or is it the Customer? If it's the customer, then you should inform the customer about the disadvantages of his current network design.

2. This seems to be, because ASA doesn't know your 10.6.x.x networks. See detailed Reason of your Error Message:

Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.

3. This is possible, since UTM 9.4 supports user-authentication via STAS. See discussion here: https://community.sophos.com/products/unified-threat-management/f/general-discussion/76063/ad-user-based-access---utm-9-4

1. No. I'm not responsible for the customer's infrastructure. I will tell him but meanwhile I have to deal with it just how it is.

2. This could be caused by the NAT rule I create in the Sophos right?

3. STAS seems to be a good option for me, is it working good with Web Filtering? We have like 200 users registered with AD, does STAS recreate all the users from AD into UTM? It could significant to performance of the UTM? Does STAS work with iView?

Thank you.