Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I can have on the same WAN interface, an IP 126.96.36.199/255.255.255.192, with gateway 188.8.131.52.And several IP Alias on the same interface, only on a different network, 184.108.40.206-220.127.116.11/255.255.255.240?
Alias would be for publishing services hosted on the internal network, such as web server, erp application, e-mail server, etc.Wait and thanks !
Alias IP must use the same subnet of the physical interface.
In reply to lferrara:
But I have a problem, the provider gave me an IP for the interface that is part of a network. It is a block of valid IP addresses that are part of another network.
This works today on the client, it uses Fortigate and the equipment supports primary and secondary IP on the same interface, in which case the secondary IP is on the same network as the Alias.The client will switch from Fortigate to Sophos XG, but this has to work.
What do I do ?
I don't know that is entirely true; encountered a customer years ago whose ISP was, in American terms, "lame." They added additional public IPs using ROTP (Routing Over The Top) …. granted, this was with Sophos SG UTM (may have even been Astaro UTM back then... but to my amazement adding each Alias IP with a /32 worked for publishing inbound services (of course it did not work for outbound, but that wasn't the point)… the ISP did some "Magic" that allowed this to work. I wasn't a fan of the configuration, but it did work. Things may be different on XG of course.
In reply to IvanildoGalvão:
I tried on v18 and you can.
Check the screenshot.
In reply to BrucekConvergent:
The provider gave a solution.It will put a router on the edge, where it will be the gateway of Sophos, the WAN interface of the router will have IP 18.104.22.168/255.255.255.192, since its internal interface connected directly to XG, it will have IP 22.214.171.124, in XG it will be 126.96.36.199.So the XG interface and the Alias will be on the same network.That solves the problem, right?Detail: The IP addresses here are fictitious.
It will work but you will have another hop.
As I said on v18, you CAN HAVE IP Alias with different subnet mask. Check the screenshots.
Yes, it lets you configure, this is done in version 17.5.9 MR9, the question is, does it work? If XG will be able to receive and route packages.
I will perform a test on my lab and let the community knows.
I can confirm, it works.
18:57:13.814608 ifb0, OUT: IP 192.168.1.23.40398 > 188.8.131.52.https: Flags [.], seq 24445:25885, ack 7440, win 365, length 144018:57:13.814633 Port2, OUT: IP 192.168.1.23.40398 > 184.108.40.206.https: Flags [.], seq 24445:25885, ack 7440, win 365, length 144018:57:13.814658 ifb0, OUT: IP 192.168.1.23.40398 > 220.127.116.11.https: Flags [.], seq 25885:27325, ack 7440, win 365, length 144018:57:13.814666 Port2, OUT: IP 192.168.1.23.40398 > 18.104.22.168.https: Flags [.], seq 25885:27325, ack 7440, win 365, length 144018:57:13.814739 ifb0, OUT: IP 192.168.1.23.40398 > 22.214.171.124.https: Flags [.], seq 27325:28765, ack 7440, win 365, length 144018:57:13.814748 Port2, OUT: IP 192.168.1.23.40398 > 126.96.36.199.https: Flags [.], seq 27325:28765, ack 7440, win 365, length 1440
I applied the proper NAT on v18 and created an ad-hoc firewall rule.
I tested it here, it worked very well.
Sophos XG supports having an IP of a network on the interface and the Alias on another network, the provider sends the packages to the services published in the Alias and it accepts :)Now how the provider does his part, I don't know.See the picture of how it turned out.Thank you for your support!