Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 1 subscriber
  • Views 7541 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S: Allow a few local networks + internet access for branch

IngoPohlschneider
Hello
I recently stumbled into a trap [:P]

I configured a branch VPN to have access to some local resources.
The clients are configured with a proxy so that they use the ASG on the main site for Internet access (no local breakout)

Unfortunately everything else goes through the WAN interface of the branch ASG which let to some access problems.

Is it possible to configure a Site2site VPN so that it behaves like a RED in Standard/Unified mode?

I want to limit the access of the branch to some local resources + Internet access.
So by default I want all the traffic of the branch that is not within their own subnet to come through the tunnel

best regards
Ingo


This thread was automatically locked due to age.
Parents
  • 0
    You mustn't allow traffic from 10.25.0.0/16 to 10.0.x.0/24 because that enables all traffic from A to B.
    You would need something like Allow from 10.25.0.0/16 to 10.0.x.1 (so only 1 host and not the entire /24 subnet).
    This host should be your UTM, probably the Internal (Address)

    You may also have to enable "Bind tunnel to local interface" because I think you would need some (static) routes.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Reply
  • 0
    You mustn't allow traffic from 10.25.0.0/16 to 10.0.x.0/24 because that enables all traffic from A to B.
    You would need something like Allow from 10.25.0.0/16 to 10.0.x.1 (so only 1 host and not the entire /24 subnet).
    This host should be your UTM, probably the Internal (Address)

    You may also have to enable "Bind tunnel to local interface" because I think you would need some (static) routes.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML