Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing traffic from a VPN to another network connected via VPN

fsandiego
I have a remote ASG110 doing a site-to-site VPN to my AS220 at HQ.  I also have my ASG220 doing a vpn tunnel to a third-party company.

From my remote ASG110, I want to be able to see hosts at the third-party company.

My pc behind the ASG220 can ping the third-party host, but pcs behind my ASG110 (which is connnected via VPN) are unable to do so.

I've tried static routes and policy routes to no avail.  Please help.

- - - - - - - - - - - - - - 

Tunnel from ASG110 to ASG220
 0.0.0.0/0=70.165.79.130  70.208.153.198=10.209.59.0/24

Tunnel from ASG220 to third-party
 70.165.79.130/32=70.165.79.130  66.147.172.3=66.147.172.198/32


This thread was automatically locked due to age.
Parents
  • 0
    Do you have appropriate packetfilter rules for the traffic?

    Have you looked at the packetfilter logs?

    FWIW, I'm doing the same thing, and it works for me. I didn't need to change the routing at all, but you do need to define all the remote networks and include them in the VPN gateway settings.

    Barry
  • 0 in reply to BarryG
    Here's a post I did in the German forum, but you don't need to speak German to understand it: https://community.sophos.com/products/unified-threat-management/astaroorg/f/68/p/58783/217549#217549

    It is a formal repetition of Gert's comments earlier in that thread.  The poster wanted to be able to have all three locations see all three locations, so you just need to have the third location (Standort C) in the example be "usual."

    Like Barry said, you don't need any extra routing.  In fact, Gert says in that thread that such routes are not reliable - you need to do it the way Barry explains.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    hi fsandiego,

    i assume the ASG220 isnt doing nat for traffic from your ASG110.
    Therefore 3rdparty cannot recognise the source from your ASG110 

    So enable NAT.

    ASG220 nat:
    src-net=asg110-lan
    dst-net=3rdparty

    ASG110 static route:
    dst-net=3rdparty
    gw=asg220-gw

    make sure you permit the traffic [:)] and it should work
Reply
  • 0 in reply to BAlfson
    hi fsandiego,

    i assume the ASG220 isnt doing nat for traffic from your ASG110.
    Therefore 3rdparty cannot recognise the source from your ASG110 

    So enable NAT.

    ASG220 nat:
    src-net=asg110-lan
    dst-net=3rdparty

    ASG110 static route:
    dst-net=3rdparty
    gw=asg220-gw

    make sure you permit the traffic [:)] and it should work
Children
No Data
Cookie Information Banner