Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Public IP block routing through single WAN IP

Chuckak

Installed Comcast Metro E fiber Internet connection.  Was unable to use Sophos UTM as I could not turn up an IPSec point to point tunnel on an additional IP.

Sophos recommended installing XG firmware on the SG230 firewall as it will allow tunnels on additional IPs.

I am at a loss how to set up the configuration per Comcast recommendation here. 



This thread was automatically locked due to age.
  • 0

    Hello ,

    As per my understanding from the diagram, I would see that there is one connection to Comcast network from the customer's premise. I would like to know do you plan to connect to a different router at the same time or active failover type of connection?

    The WAN is not direct public facing and is NATTED to a private address so you would need to initiate the connection from Customer's premise.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

    • 0 in reply to Aditya Patel

      I actually have two SG 230 firewalls in Active/Passive configuration under UTM.

      I broke the HA and converted one of them to XG and am attempting to build what Comcast shows.

      The Sophos box needs to route the 5 assigned public IPs through the point to point single IP.

      When I re enable HA there will be a dumb switch between the two firewalls and the single port on the Ciena device.

      I just don't see how to do this.

      • 0 in reply to Chuckak

        Hello ,

        OK per my understanding you wish to route a IP block which your Public address assigned to your WAN through IPsec?

        Regards,

        Aditya Patel
        Global Escalation Support Engineer | Sophos Technical Support
        Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
        If a post solves your question use the 'This helped me' link.

        • 0 in reply to Aditya Patel

          The point to point connection is not IPSec.  That is what Comcast calls the connection.  If I put the IP address and gateway of it on the firewall WAN port or on a PC directly I can get to the Internet.

          To use my assigned public IP block of 5 IPs I have to route them through this connection.

          • 0 in reply to Chuckak

            Hello ,

            Since you have multiple addresses you wish to route through your main. Your WAN connection will have an option to add an alias to the main interface. But it will rely outgoing traffic through the main by default and can be changed by configuring SNAT and apply on your firewall rules. 

            If inbound traffic i.e. DNAT you can use any alias on your WAN interface.

            Regards,

            Aditya Patel
            Global Escalation Support Engineer | Sophos Technical Support
            Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
            If a post solves your question use the 'This helped me' link.