Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 6 subscribers
  • Views 38905 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

static routes not applying

Mast_01

Hello,

i'm having an issue with static routes, and i'm pretty sure this broke somewhere around 9.409/410 as it was working before.

i have two gateways in my network, one is the UTM (10.10.10.15) another a cisco ASA(10.10.10.16).

Some IPs/network can only be accessed through the ASA.

let's say one host/network is 8.8.8.8

IF on a workstation i do an add route 8.8.8.8 10.10.10.16 then traffic goes through the ASA correctly.

ON the UTM i made a gateway route that is "host 8.8.8.8" through gateway ASA "10.10.10.16" with metric 1.

 

i then try to access that ip from a station and it's not working, traceroute shows the route is not operational, it goes through the UTM and straight over internet.

 

i checked the routing table in the UTM and the line is there:

8.8.8.8 via 10.10.10.16 dev eth0 proto static metric 1

to troubleshoot further, i have a routerboard laying around and configured the same route, then added a route on the PC to 8.8.8.8 through mikrotik and it's working perfectly, so the issue is the UTM no doubt.

just in case, i also have all the pertinent firewall rules from LAN to those special hosts allowed




This thread was automatically locked due to age.
  • 0

    What if you make that a Policy route, Mast?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi,

    the route is defined on eth0. Is this the correct interface were the clients are connected to?

    What about the configured interface in the host object 8.8.8.8? Is it correct?

    Could you post the whole routing table of the UTM?

    Jas Man

  • 0 in reply to BAlfson

    Policy route makes no difference

  • 0 in reply to Jas Man

    eth0 is the lan port, yes client are connected in that LAN, same as the cisco ASA.

     

    "What about the configured interface in the host object 8.8.8.8? Is it correct?", ¿what configured interface?, they're internet hosts (or remote private ip hosts through one of the VPNs in the Cisco ASA)

  • 0 in reply to Mast_01

    You've been around for a long time, Mast, and I know you know the UTM well, so it must be something you're not seeing.  Please show pictures of the Edits of the relevant parts of the configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Shot in the dark here just to be sure. Did you try it with another host ip? Because 8.8.8.8 is google's dns server and maybe the UTM is getting mixed up there ie you have 8.8.8.8 entered somewhere else?

  • 0 in reply to BAlfson

    Bob,

    the thing is that this was working as-is and one of the previous patches broke it.

    it's also quite simple really:

    in the LAN i have the UTM and an ASA on the same subnet.

    there is a list of networks and hosts that have to be routed through the ASA, all of which defined in a group in the UTM

    then i made the static gateway route rule that for those hosts the gateway is the ASA.

    then i created a FW rule from LAN to hosts allowing the services i need.

    i check the route list and the entry is there

    and it's not working, it's ignoring the route and going through internet.

     

    yet if i do the same on a mikrotik, works perfectly, same as adding a route by hand on windows.

     

    I already have a case open but communicating has been... very difficult at best, they suggested something about the web proxy interfering if i understood them... i'll have to check that.

     

    edit: just checked, i alreayd have a transparent skiplist destinarion set...

  • 0 in reply to Mast_01

    Mast_01 said:

    ...

    "What about the configured interface in the host object 8.8.8.8? Is it correct?", ¿what configured interface?, they're internet hosts (or remote private ip hosts through one of the VPNs in the Cisco ASA)

    Your wrote, that you've configured a static route for the target "8.8.8.8" that points to the ASA. This static route has an host or network object in the field "Network". And this object has an field, where you can define the interface where the host or network is homed (Any, LAN, WAN,...).

    Please also post or check the routing table. There must be a reason why the UTM preferred the Any-route to the Internet. 

    BTW: Have you checked that the routing rule is activated? Maybe it's such a simple thing...

    EDIT: Gateway Routing works fine for me in 9.411-3. Entry in routing table:

    8.8.8.8 via 192.168.10.3 dev eth1.10  proto static  metric 1 onlink

     

    Jas Man

  • 0 in reply to Jas Man

    JAS,

    i have a group that contains both hosts AND networks(i hope the uploadrs are visible)

    yes the rule is active :D

     

    the route table is huge and full of ips, but i checked and they're there(it's a portion of the table), both public and private tunnels:

    default via 10.10.10.200 dev eth0  table 1  proto policy 
    200.x.x.x. via 10.10.10.200 dev eth0  proto static  metric 1 
200.x.x.x via 10.10.10.200 dev eth0  proto static  metric 1 
200.x.x.x via 10.10.10.200 dev eth0  proto static  metric 1
    172.16.6.170 via 10.10.10.200 dev eth0  proto static  metric 1 
    172.16.6.171 via 10.10.10.200 dev eth0  proto static  metric 1 
    192.168.2.5 via 10.10.10.200 dev eth0  proto static  metric 1 
    192.168.2.13 via 10.10.10.200 dev eth0  proto static  metric 1
  • 0 in reply to Mast_01

    Looks good.

    So default and static route pointing to the ASA?

    And which address is routet by the UTM directly trought the Internet, WAN or what else is behind the UTM?

     

    Have you tried to re-create the rule, or to choose only a single host, not the complete group?

     

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML