Hi out there,
I a stuck with a small problem, maybe someone has an idea for me.. I would really appriciate that :-)
The following scenarios: We recently exchanged a Sophos UTM for an XG Firewall.
Our customer has a second gateway in his local network [192.168.178.8] through which he has to reach a specific web service.
So far so good. With the UTM it also worked without any problems, with the XG not.
I know, with the second gateway in my local network I get an asymmetric routing condition. For my internal network I was able to fix this with a bypass-statefull-firewall command, which works - So Internal is not the problem.
The real problem is that the customer has to reach that web service which has to go over the second gateway via VPN as well. We are using a Sophos Connect IPSEC connection (bevor the customer had the normal SSL VPN client connection). I am able reach the local network without problems, also the second gateway. For my considerations, it would have to be an asymmetrical route here as well. I tryed to get it to work with the bypass stareful firewall command (just with the VPN Subnet) but i can't get it to work over vpn.So if anyone has an idea on that - help would be very welcomethanks ahead :)
Hi Joshua Antl
Please refer the below link to connect the network connected with Sophos XG over SSL VPN :
If the configuration is fine and you are not able to reach the destination network please check the packet capture
Please go to MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click on Configure and add host <destination IP> start the packet capture and access the server
Share the packet you have took from GUI
From CLI check the tcpdump as well drop packet
console>tcpdump 'host <destination IP>
console>drop-packet-capture 'host <destination IP>
We might require more information for your network topology to meet your business needs
Thanks and Regards
have you insert the second vpn subnet behind 192.168.178.8 to the allowed networks in the IPsec Client VPN connection? Also keep in mind the back route from 192.168.178.8 to the IPsec VPN network on the XG.
Hi,thanks for replying. I do see the packages arriving at the XG. But the packets are beeing droped mit Firewall ans NAT Rule #0
I tryed to do a network diagram real qucik. probably not the best one but maybe that helps.
Sophos XG as a static route for destination network 188.8.131.52 /24 with Gateway 192.168.178.8. Which works for my internal network.
Sophos Connect is configured as default gateway.
Have you setup on router 192.168.178.8 a route that 10.10.10.0/24 is reachable over 192.168.178.1?
Do 184.108.40.206/24 has a route on his Standard Gateway for the corresponding networks?
no, unfortunately we cant access that device. So I dont know quiet sure. But it worked with sophos UTM before so i guess that part shouldnt be the problem
Can you show a screenshot from the IPsec Client configuration?
And just to be sure, on your Sophos UTM the Client network was also 10.10.10.0/24?
Hi Joshua Antl
Please share the output for the below command from CLI:
console>show advanced firewall