Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 41 subscribers
  • Views 1899 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route problem on XGS116 firewall

David Chour

Hello,

I'm stuck on a LAN routing problem.

We changed our UTM firewall to XGS116, I recreated the rules and configuration on the new firewall, but I have a problem with the incoming traffic to the internal network.

We have several offices that are interconnected by MPLS.

From the other offices I can no longer reach the head office network, but I can reach the subnet

Here is a diagram and the static routes.

Can you please help me ^^



This thread was automatically locked due to age.
  • 0

    Can you show us the routing table of the switch with 192.168.0.254?

    Where is 192.168.61.0 /24 in your diagram?

    The route entry to 192.168.0.0 /24 is superfluous and not needed, because your firewall is directly connected to this network.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Could you please explain a bit better. Is the Head Office Network behind the Sophos? (I'm assuming that the red arrows indicate you can't get there, but I also assume that "there" is to the right of the Sophos.) Or are you saying you can't ssh to the Sophos itself, which would not be a routing issue.

    I'm assuming that 192.168.0.3 (Port "Internal") is the Gateway for your Sophos? (By IP address, the switch appears to be your peer, but you draw a line from the Switch to the Sophos rather than from the Router to the Sophos, so I'm confused.)

  • +1

    Hi David Chour

    Seems Asymmetric Routing, can you try the below steps :

    console>show advanced-firewall


    console>set advanced-firewall bypass-stateful-firewall-config add source_network [source network IP] source_netmask [source subnet mask] dest_network [destination network IP] dest_netmask [destination subnet mask]

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hello Bharat,

    I would prefer to "optimize" David's network design instead of configuring a workaround on the XGS.

    And I don't like the often heard argument "it worked before with the SG ..."

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hello everyone, thank you for your answers.
    Bharat J helped me and the command solved my problem.
    set advanced-firewall bypass-stateful-firewall-config add source_network [source network IP] source_netmask [source subnet mask] dest_network [destination network IP] dest_netmask [destination subnet mask]

  • 0 in reply to PhilippRusch

    +1. The diagram shows an odd physical configuration that you can work around with the CLI but if there isn't a specific reason (or an error in the diagram) for this, they will eventually have other problems or inefficiencies.

  • 0 in reply to PhilippRusch

    Hello jprusch,

    The workaround proposed by Bharat J works but I would not like to keep this solution for a long time.

    As requested here is the routing table on the switch 192.168.0.254

    Otherwise, do you think it would be better if the MPLS router was connected directly to the firewall ?

Unfiltered HTML