Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 2234 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inbound route on interface

PeterWeir

i have a second Wan link setup that we are using as a direct connection to a remote data center.

I have added a multi path and masq Nat rule and source Nat and can now ping the devices in the remote data centre.

However, the remote data centre can not ping the lan. If I do a trace route I get to the IP address of the interface but don’t get any further.

I have a firewall rule allowing everything from the remote network to the lan and nothing is coming up in the packet filter logs.

The bit that confuses me is I can web browse to a machine in the data centre and I can Remote Desktop onto one. If it was a routing issue I would have thought that both those would not work.

Anyone have any pointers on what it might be or where to look.



This thread was automatically locked due to age.
  • 0

    Hi Peter,

    this is a direct connection, no tunnel like IPSEC, correct?

    Why NAT? And why Multipathing rule? Do you have a second connection to that data center?

    Maybe you could show us a little diagram.

    Best regards

    Alex

    -

  • 0 in reply to Alexander Busch

    Hi

    Yes this is direct connection.

    We have our standard wan comection. This extra one was put in as a second direct network. It goes to a second datacentre with about 5 machines in.

    I set it up using a multi path as it seemed the only way to route to those machines from our lan as I could only set a gateway for one interface. This new line is into its own interface.

    This is the only comection to that data centre and I don’t really want to be able to use our existing one.

    I was trying to keep it all separate.

  • 0 in reply to PeterWeir

    Hi Peter,

    I just thought about the multipath because if that is the only connection shouldn’t  the routing be done by the UTM itself? I mean on the level of network address lookup in the routing table.

    Alex

    -

  • 0 in reply to Alexander Busch

    Well after hours on the phone to support I think I'm actually in a worse position.

     

    They suggested that the issue was that I was using NAT and a Masq rule.

     

    They took out the default gateway on the interface and added a static route. However, it now not working. Interestingly, the firewall now routes traffic to the Interface. Before it was going out over the standard WAN interface. However it does not seem to get any further.

    As the Interface is 195.164.245.2 and the Cisco router is .1. I can ping 195.164.245.1 from the firewall.

     

    I guess I might be approaching this wrong.

    How do you add a second WAN interface going to a second Network and allow traffic between the two. Am I approaching this wrong?

  • 0 in reply to PeterWeir

    Hi Peter,

    if this is only a private network to your datacenter I would not call this WAN Interface. It’s just another interface and don’t have a default gateway.

    In the UTM a default gateway is only set if you would internet traffic flowing through that interface in my opinion.

    Like already stated, if you want to get recommendations here please share some information about the network and the thing you want to accomplish. Of course you could change IPs etc.

    I don’t have a clue what is the position of your Cisco router for example. I could guess it’s the router in the other network?

    Did you set up routing there by the way?

    Best regards

    Alex

    -

  • 0 in reply to Alexander Busch

    Thanks Alex,

    Hopefully this diagram will help

     

    Yes it is just a private network to the data centre. It sounds like not having the default gateway might be the best way. No I did not set up the other routers the ISP did it.

    The Cisco router is in our office the other side of the Sophos. Im not sure what is at the GTT end.

     

  • 0 in reply to PeterWeir

    I guess that the Cisco router is masquerading pings and RDP access.  GTT knows how to route back to the Cisco and the Cisco knows how to route back to your LAN.  GTT needs a route to your LAN.  Was that it?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML