Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 17858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 2 external IP addresses

ciscoman

hi,

trying to setup UTM to use 2 external IP addresses (ideally round robin)

Physically it is only one interface, web requests to outside should appear as source IP1 and IP2.

Any ideas how to archive this? Uplink balancing refers to 2 interfaces ..

Secondary IP is possible, but as soon the UTM creates a tcp session(proxy/web filter), only primary IP will be used.

Rg

 

 

 

 

 



This thread was automatically locked due to age.
  • 0

    I don't think you can achieve this on one link. I have 1 link serving 14 IP addresses to the WAN side. I use NAT settings to re-direct traffic. If you could provide some more details about what you are trying to accomplish it might help. What is the purpose of the 2 IP addresses.

  • 0 in reply to ThomasRandolph

    Hi.

    purpose is to be visible with different IP addresses on the remote side.

     

    many clients -> using UTM Web filter/Proxy -> public webserver

    Public webserver see as 'source IP always IP address UTM public IP x.x.x.1

    Goal is that the public web server might see several source IP addresses x.x.x.2 and x.x.x.3

     

    Regards

  • 0 in reply to ciscoman

    Sorry, you're asking a Cisco question  - tell us what you want to do and you might find someone that doesn't think Cisco to help you. What do you want to get to where?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to ciscoman

    Since you're talking about web filtering (proxy), it's really not the individual host that's communicating to the outside world, but your proxy is. I don't think it's possible to have the webfilter use different public IP's for different clients on just 1 physical interface.

    Using mulitpath rules it could be possible, but I think this only works with multiple WAN connections.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to BAlfson

    not a cisco question. Nothing related to cisco

    Just trying to figure out if it is possibel to 'appear' with different IP addresses to outside world.

    Thanks

    Regards

  • 0 in reply to apijnappels

    apijnappels said:

    Since you're talking about web filtering (proxy), it's really not the individual host that's communicating to the outside world, but your proxy is. I don't think it's possible to have the webfilter use different public IP's for different clients on just 1 physical interface.

    Using mulitpath rules it could be possible, but I think this only works with multiple WAN connections.

     

     
    I thought multipath is an option. However, might only work with 2 'external interfaces' . Thought about using 1 external interface and attach a secondary interface. But in this case, the secondary interface is not visible in the configuration menu of multipath.
     
    Lokks like that I can't solve this topic with Sophos.
    Thanks a lot
    Regards
  • 0 in reply to ciscoman

    Hi

    It is possible to utilize multiple public IP addresses on the UTM for outbound traffic via the Web proxy, although not necessarily in the round robin style you mentioned.

    Logged in as root on the UTM, running the following command will enable an additional option within the web filter profiles:
    cc set http enable_out_interface 1

    Once enabled, under Web Protection > Web Filtering > Optional:Interface for Outgoing Traffic, you can specify which public IP address to use as the source of the traffic matching that profile. As I say, not round robin, but allows you to set the public IP used by particular groups of internal client IPs

    Hope this is useful

    Greg

  • 0 in reply to ciscoman

    With web-filtering enabled this is not possible - web filtering always uses the primary interface IP address - even with IPv6

     

    Without web-filtering you could create NAT rules to separate internal IP addresses to specific interfaces or IP addresses in your case.

     

    Web-filtering is slowly becoming a pain, especially with the driver to convert the web to HTTPS - so in the future may not be so widely used.

    Tim Grantham

    Enterprise Architect & Business owner

Unfiltered HTML