Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connecting RED's to XG when using BGP

Hello,

 

I am wondering if anyone has setup an XG using BGP and has RED's connected to it? Since there are no ACL's for the RED service ports, how can the XG accepts RED's from a BGP IP address that is not on a WAN port? There is no gateway address either so the XG does not have an interface in the BGP IP block. It only has point to point connections to each ISP using /30's.

 

This is a multi-hop BGP setup to 2 different ISP's, advertising a /22. Any info would be greatly appreciated.



This thread was automatically locked due to age.
Parents Reply Children
  • Hi ,

    Please provide the below information.

    1. RED device model number

    2. How RED device getting Internet? (To fetch configuration file)

    3. Network Diagram to understand the setup

    RED device uses below Ports to communicate

    RED hardware Ports

    RED 10TCP 3400 + UDP 3400

    RED 15TCP 3400 + UDP 3410

    RED 50TCP 3400 + UDP 3410

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • The RED devices are at different locations. Some use static IP's, some use DHCP.

    I don't really understand the need for a network diagram. It is a very simple setup. A Sophos XG multihomed to 2 ISP's using BGP.

  • Here is a Cisco doc that has a diagram. This is a very standard setup in enterprise networks.

     

    https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html

  • So you do not have a WAN Interface only the eBGP Interface? 

    Many services relies on the WAN Interface (Interface with Zone WAN). I know, you are not able to configure the WAN Interface, because you are getting all routes from your ISP. 

    There is no "Quick and dirty" Solution right now.

    As far as i know, you can basically build a Dummy Interface on your XG with zone WAN and use a business application rule (NAT) to route the traffic Port 3400 and Port 3410 to this interface. 

    BTW: RED should be open on all ports. Did you check, if you can connect via nmap to port 3410 to your ISP WAN IP? 

    __________________________________________________________________________________________________________________

  • Yes, that is correct. BGP doesn't use a WAN interface. I just have a point to point link to each providers edge router.

     

    I will try the dummy interface and see what happens.

     

    All ports are open. The XG is just not listening on those IP's because they are not tied to an interface, just routed. I am guessing all of the services will suffer from this as well. Like SSL VPN, VPN, etc..

  • There are only IPsec+WAF as a use case issue in this setup. 

    IPsec can only use a WAN Interface as SA. 

    So you cannot build up a Site to Site in this setup.

     

    RED should be open on all Ports (Port 3400 and 3410).

    SSLVPN can be activated on their own Zone (So no binding to WAN). 

     

    With V18, you can actually DNAT /NAT this traffic to another Port to get this up and running again. 

    __________________________________________________________________________________________________________________

  • There is no zone. The interface is a point to point link. Our block of IP's are NOT on any interface.

    DNAT does not work for SSLVPN. I have not tested the RED service yet.

  • You must have a Interface in any Case. How should this work otherwise? 

    eBGP relies on having any kind of Interface with any kind of IP. 

     

    Its most likely a DMZ Zone interface or a self created Zone. 

     

    Or which IP do you setup on your Interface? A point to Point link to the ISP is still a valid IP on your Interface. So you can actually use this IP on your SSLVPN configuration as overwrite hostname and you can still use this Zone on this Interface to setup SSLVPN. 

    __________________________________________________________________________________________________________________

  • Yes, there is a DMZ zone for the PTP link and each interface has an IP assigned by THAT carrier.

    The whole point of BGP is carrier redundancy. Why would I want to use a carriers IP for SSLVPN? The whole point is to use OUR IP block for all services. If I use carrier A's PTP IP, if they go down, our users can't connect. That is not a viable solution.

    It sounds like to me, XG does not handle BGP properly like other vendors routers and firewalls do.

  • Then use a DNS Record for SSLVPN.

    Do not forget, SSLVPN is a point to point connection.

    The Client needs a IP to connect to. 

    You could actually give the SSLVPN client a DNS record. 

    Do you have something in place to get DNS redundancy? 

     

     

    Redundancy is also being used by Services, and most likely its used by DNS. 

    Having said, i do not care, which IPs Google use, i simply connect to google.com. 

    So if they failover to another IP, uses other IPs, i simply dont care. I do not notice. 

    And you could use DNS for all causes like SSLVPN, like RED etc. 

     

    And you are not using the Carrier IP, you are using your IP, which you get by the carrier. 

    __________________________________________________________________________________________________________________