Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 6 subscribers
  • Views 38908 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

static routes not applying

Mast_01

Hello,

i'm having an issue with static routes, and i'm pretty sure this broke somewhere around 9.409/410 as it was working before.

i have two gateways in my network, one is the UTM (10.10.10.15) another a cisco ASA(10.10.10.16).

Some IPs/network can only be accessed through the ASA.

let's say one host/network is 8.8.8.8

IF on a workstation i do an add route 8.8.8.8 10.10.10.16 then traffic goes through the ASA correctly.

ON the UTM i made a gateway route that is "host 8.8.8.8" through gateway ASA "10.10.10.16" with metric 1.

 

i then try to access that ip from a station and it's not working, traceroute shows the route is not operational, it goes through the UTM and straight over internet.

 

i checked the routing table in the UTM and the line is there:

8.8.8.8 via 10.10.10.16 dev eth0 proto static metric 1

to troubleshoot further, i have a routerboard laying around and configured the same route, then added a route on the PC to 8.8.8.8 through mikrotik and it's working perfectly, so the issue is the UTM no doubt.

just in case, i also have all the pertinent firewall rules from LAN to those special hosts allowed




This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    the route is defined on eth0. Is this the correct interface were the clients are connected to?

    What about the configured interface in the host object 8.8.8.8? Is it correct?

    Could you post the whole routing table of the UTM?

    Jas Man

  • 0 in reply to Jas Man

    eth0 is the lan port, yes client are connected in that LAN, same as the cisco ASA.

     

    "What about the configured interface in the host object 8.8.8.8? Is it correct?", ¿what configured interface?, they're internet hosts (or remote private ip hosts through one of the VPNs in the Cisco ASA)

  • 0 in reply to Mast_01

    You've been around for a long time, Mast, and I know you know the UTM well, so it must be something you're not seeing.  Please show pictures of the Edits of the relevant parts of the configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Mast_01

    You've been around for a long time, Mast, and I know you know the UTM well, so it must be something you're not seeing.  Please show pictures of the Edits of the relevant parts of the configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Shot in the dark here just to be sure. Did you try it with another host ip? Because 8.8.8.8 is google's dns server and maybe the UTM is getting mixed up there ie you have 8.8.8.8 entered somewhere else?

  • 0 in reply to BAlfson

    Bob,

    the thing is that this was working as-is and one of the previous patches broke it.

    it's also quite simple really:

    in the LAN i have the UTM and an ASA on the same subnet.

    there is a list of networks and hosts that have to be routed through the ASA, all of which defined in a group in the UTM

    then i made the static gateway route rule that for those hosts the gateway is the ASA.

    then i created a FW rule from LAN to hosts allowing the services i need.

    i check the route list and the entry is there

    and it's not working, it's ignoring the route and going through internet.

     

    yet if i do the same on a mikrotik, works perfectly, same as adding a route by hand on windows.

     

    I already have a case open but communicating has been... very difficult at best, they suggested something about the web proxy interfering if i understood them... i'll have to check that.

     

    edit: just checked, i alreayd have a transparent skiplist destinarion set...

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML