Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 3461 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS with functioning IPsec tunnel but no internet access

Fizzle

I work for a small university with a main campus and a single, annex building which is off-site.  I have configured a XGS 2100 with an IPsec tunnel between the locations, which is working great.  The problem is that I have no internet traffic from my LAN at the annex building where the XGS is located.

Config:

WAN: 23.25.185.x/29

LAN: 10.192.234.1/24

Connecting interface on switch: 10.192.234.2

here's my route table:

All networks show above which are assigned to SFC_LAN are in the IP Group "SFC Network Group"

Here is the rule I've created to allow internet traffic:

I know the WAN interface is working correctly based on the fact that my IPsec tunnel is working fine.

I dont have any rules above this one which deny traffic. 

I dont have any rules which specifically permit traffic to the LAN zone (except the rules for the IPsec tunnel).

What on earth am I missing here?



This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    Do you have the NAT rule that matches the traffic from your LAN 10.192.234.1 going to the WAN zone?  Is the Default SNAT IPv4 NAT rule enabled? and MASQ selected under (SNAT) and the Outbounf interface is using the Correct Port?

    If you have the correct SNAT rule, you might want to do a GUI Packet Capture to see if the traffic is actually hitting any rule and if so what rule. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    Thanks for the quick response!  Currently there are no SNAT rules enabled.

    To be honest, I'm not familiar with why i would need one.  I'm also unfamiliar with MASQ and what it does.

    This is the current state of my NAT rules:

  • +1 in reply to Fizzle

    Hello Josh,

    So the Firewall rules only allow traffic from X source to Y destination, nothing else.

    The NAT rules allow you to translate/change IP addresses between networks, like a mediator. Like you can tell from the Firewall, if you see a packet coming from Network A going to Network C, make it look (NAT) as if it’s coming from Network B. 

    Since the "internet" don’t allow Private address to be routed on the internet, you need to Source NAT (Masquerade) the traffic as it goes out of your LAN network.

    So you can enable the one that says Default SNAT IPv4, and that should cover your traffic going out of the WAN interface.

    I am leaving here this video, which should help you clarify things about the Firewall Rules and different NAT rules.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Thanks for the explanation Emmanuel.  Following the video I created a new Linked NAT rule and will test the internet connectivity tonight. 

  • 0 in reply to emmosophos

    The suggested changes resolved my internet traffic problems, thanks for your help!

Unfiltered HTML