This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow Access to internal through Sophos XG

Hi everyone,

Below is a rough sketch on my network. VLANs have been set on and by the ISP on their side. VLAN1 is for data. Which means PCs on the left should communicate with those on the right and vice.

From the right I can only ping upto the Sophos which is 10.10.1.1(via static routes). Beyond that, I cannot ping. I hope to get the left side to get DHCP ip addresses from the left side. 

Please help. 



This thread was automatically locked due to age.
Parents
  • Hello Jonathan,

    Thank you for contacting the Sophos Community!

    Please check this KB to give you an idea.

    Is the XG or the Cisco device handing the DHCP?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    I have read the article and it is reverse of what I want to do.

    In my scenario, the Sophos is the DHCP server that needs to give ip addresses outside the network.

    From the outside network, I can only ping up to Sophos, which is 10.10.1.1. I cannot ping beyond that.
    Is there a firewall rule I have to create?

    Regards,

  • Hello Jonathan,

    Thank you for the following up!

    Most likely you need, from which zone the traffic from the Cisco device is coming into your network? You would need to create WAN to LAN or LAN to LAN or DMZ to LAN, depending on the zone of the traffic coming from the Cisco.

    You could do a packet capture on the XG to find the reason why the Ping is not arriving to 10.10.1.1 by following this KB

    As per the DHCP not working, are you even seeing the requests coming to the XG? If you do a tpcdump or packet capture in the XG on Port 67 & 68 do you see this requests arriving?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    Thanks for responding. I have attached the packet capture. I don't know what it means, but I filtered the display to show ICMP.

    I Think since the sites are connected through VLANs, it should be LAN to LAN. But I have tried all possible combinations of these but no success. Please help.

  • I have tried the tcpdump, I am not receiving any DHCP requests. It could be that the required traffic is not going passed the my Sophos gateway.

  • Hello Jonathan,

    If you don't see the DHCP requests arriving to the XG then you would need to check with your ISP. 

    As per the screenshot, from which IP address you pinged from? I see 192.168.124.1 but this is the ISP Gateway?

    IF you could take a screenshot of your interfaces  that might help!

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Yes, the 192.168.124.1  the ISP gateway within the VLAN they created on their said. so this VLAN has 3 points in this scenario.
    124.2 is HQ on Sophos, whose gateway is 124.1

    124.6 is Branch office on Cisco router, whose Gateway is 124.5
    Below is the requested screenshot of the Interfaces. I hope this helps.

  • Hi ,

    Take a look at this packet capture. I think it means something. I have tried to play with the Local_ACL but can't seem to get it right.

    I think this can help.

  • All right,

    I think we are getting somewhere.

    Remember, the first issue was I couldn't ping internal resources behind the Sophos XG? Well, the solution was this:

    Under Hosts and Services->, I created two hosts. 1) The_Last_Network (a.k.a the branch office network 192.168.8.0) and 2) Our_Network (a.k.a HQ 10.10.1.0)

    Then I created a firewall rule, basically, 

    Source

    LAN, The_Last_Network

    Destination

    LAN, Our_Network, Any Services

    And Vwala, I could ping internal resources.

    Problem 2, was to get DHCP to work.

    so Under Adminstration-> Device Access->Local service ACL exception rule->Add

    Source zone: LAN

    Source Netowrk/ Host: TheLast_Network
    Destination Host: HQ (10.10.1.1)

    Services: All of them

    After this I no longer get issues in the packet Capture concerning port 67 and 68
    Which is good, except my user PC is not receiving an IP address.

  • Hello Jonathan,

    Thank you for the screenshot!

    Yes it means the XG was missing a rule to allow this traffic!

    As per the issue with the DHCP, what you did I don't think it is necessary, but what are you seeing now when you do a tcpdump?

    Do you see the requests arriving to the XG? 

    Also I don't understand the setup very well, you have a bridge with 10.10.1.1/24  but also Port2 has 10.10.1.10 /8

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children