Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 2659 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding Second Interface with Different Public IP for Same Internet Connection

Iam Zain

We have a situation that I'm not sure how to proceed correctly.

This location is currently utilizing two different firewalls - a Sophos XG 310 and a Sonicwall NSA 3500. The way this was originally configured, a small switch was put in place before the firewalls, with one ISP connection coming into the switch, then one connection from the switch going to each firewall. They have one public IP from their ISP going to the Sonicwall, and one public IP (for the same ISP connection) going to the Sophos.

I am wanting to move the public IP that is currently on the Sonicwall to the Sophos without disrupting the flow of traffic to the ISP. They have several services that use the public IP that is currently on the Sonicwall.

How can I move the connection from the Sonicwall to the Sophos as a second interface for the same ISP and allow communcation for the services to work properly?

https://imgur.com/e6cMNhy

Best description I can come up with is that ...120 has a NAT for connecting to Remote Desktop Gateway with ...120:45678. I want to move the ...120 interface from the Sonicwall on the left to the ...121 Sophos on the right. Do I create a second interface on the Sophos, then create the NAT and firewall rules? Seems off to me to have two different public IP's on two different interfaces from the same ISP pool. There are even more services on the old Sonicwall in addition to the one I described, but trying to keep this as simple as possible.



This thread was automatically locked due to age.
  • 0

    Hello Iam,

    Thank you for contacting the Sophos Community.

    For this, you would need to create a Static Route to redirect all the traffic going from the devices behind the Sonicwall towards the XG, I would recommend you to connect to create a new interface in your XG and in the Sonic Wall, (avoid sending back the traffic to the switch where both devices are connected to LAN side) so in the Sonicwall you can create the Static route sending all the traffic directed to the internet via the Sophos XG Firewall, then in the XG just create a SDWAN rule for saying all traffic coming from the new Interface created in the XG, for the specific subnets (Subnets behind the Sonicwall) go out via the WAN interface of the XG.

    Create the NAT rule for this traffic and a Firewall Rule and that should be it. I would also create a SSL/TLS exception for this traffic while you’re testing. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0

    A firewall may not allow two interfaces using IP addresses from the same subnet. May be you can use a secondary address on the same interface. 

  • 0

    Hi, This is wat I would do.

    On the Sophos create an alias with a made up ip address on the WAN (public ip) interface. Create all the rules form the Sonicwall on the alias ip, create sd-wan rules for out going traffic.

    Then change the alias ip to the Sonicwall public ip and disconnect the Sonnicwall. And when you have downtime planed, remove the switch (don't need them anymore.

    This will create minmal downtime and having two public ip's om the same interface.

    Bart van der Horst

    Sophos XG v18(.5) / v19 Certified Architect
    https://www.bpaz.nl

Unfiltered HTML