WAN IP turns LAN after reconfiguration

Hi wilspin ,

Thanks for reaching out to Sophos Community.

To confirm, only one user is having the issue of being unable to connect to the new WAN IP because he is still connecting the the old WAN IP? 

Have you tried redownloading and reinstalling Sophos Connect client to the said end machine? and what is the result? 

Regards,

No not correct. His local area IP range is same as old WAN IP. which some how shows up in tracerts when it is no longer configured in environment.. Using windows clients not Sophos connect..EG;

Here is tracert from my laptop to PM3

Tracing route to csi-pm3.shunt2011.local [10.10.10.19]

over a maximum of 30 hops:

  1    49 ms    63 ms    45 ms  192.168.1.2

  2    64 ms    57 ms    38 ms  csi-pm3.shunt2011.local [10.10.10.19]

XG115_XN03_SFOS 17.5.12 MR-12.HF062020.1# route -n                              
Kernel IP routing table                                                         
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br0     
10.247.1.1      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0    
10.255.0.0      0.0.0.0         255.255.255.0   U     0      0        0 GuestAP 
72.xx.xx.xx   0.0.0.0         255.255.255.252 U     0      0        0 Port2   

Hello,

Thanks for this details. What is the IP address and network of this machine? - Have you tried configuring static IP entry (IP address, Default Gateway) for the said Windows machine? Also, what is the default gateway being shown on the Windows machine when you type route print on CMD. 

I also notice you are running an outdated SFOS, I would be recommending you to update to latest:

Moving to different firmware version: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareMoveToDifferentVersion/index.html

Suggestions before updating frimware: https://support.sophos.com/support/s/article/KB-000039405?language=en_US

 Sophos Firewall: Best practice for Sophos Firewall firmware upgrade 

Regards,

ip address is 172.16.1.20 gw 172.16.1.1, be aware traffic after GW passes thru DMZ zone where range is 192.168.1.x sane as appliance rouge range. one of those must be changed to solve issue. As its popular router address best to eliminate rouge entry in FW appliance but cant find it.

no static tried.

Yes upgrade is considered but real question to answer before that-why is 192.168.1.2 showing up as appliance IP when not in routing table. must be rouge entry some where.

Hello,

What IP does the Sophos Firewall have in the DMZ?

Do you have a diagram of your network and how it connects to the client. 

Regards,

no DMZ 

Hello, 

"be aware traffic after GW passes thru DMZ zone where range is 192.168.1" so what are you referring to here?

Regards,

what? How can that be? Public IP is on the WAN port. how is that DMZ configured and how to view it?

Hello wilspin 

What Emmanuel is referring to is regarding your statement above and confirming what does it mean and what do you refer to out of it.

wilspin said:

be aware traffic after GW passes thru DMZ zone where range is 192.168.1.x

Further, kindy share a network diagram and traffic flow of the network and of policy and network/interfaces configuration of your Sophos Firewall. 

Thank you

That was answer to his question about windows machine  that is vpn client.

Diagram, not handy. Does the routing table not spell it out?

10.x.x.x LAN

10.247.x.x VPN host

10.255Guestap not used.

72.x.x.x WAN

Flow= LAN to WAN

Policy/configuration? I will point out if Client machine is placed alternate ISP it works  The question is why 192.168.1.x)that is not configured anywhere showing up in tracert.? And how can I remove it. I checked three other installations and the first hop on all three was WAN IP address. I would like this one to be the same.  I have not used IP range 192.168.1.x anywhere on the installation but there it is in tracert.

Lets stay focused on that. You said it has a DMZ configured with that range. I ask where? not in routing table.

That was answer to his question about windows machine  that is vpn client.

Diagram, not handy. Does the routing table not spell it out?

10.x.x.x LAN

10.247.x.x VPN host

10.255Guestap not used.

72.x.x.x WAN

Flow= LAN to WAN

Policy/configuration? I will point out if Client machine is placed alternate ISP it works  The question is why 192.168.1.x)that is not configured anywhere showing up in tracert.? And how can I remove it. I checked three other installations and the first hop on all three was WAN IP address. I would like this one to be the same.  I have not used IP range 192.168.1.x anywhere on the installation but there it is in tracert.

Lets stay focused on that. You said it has a DMZ configured with that range. I ask where? not in routing table.

Hello,

To clarify, you are the one who mentioned the traffic goes through a DMZ.


If you can't provide a sketch of the network, I recommend you call Support so they can see your environment live and troubleshoot with you. 

My only guess is that the SSL VPN range is part of the 192.168.1.x, you can check this  Configure > Remote Access VPN > SSL VPN > SSL VPN Global settings

Regards,

yes that is at the client side in response to question about it. This has all become moot as the issue has gone away and its working without changing any thing. 

I am unable to locate SSL VPN Global settings. I did look thru that area did not find any setting with that range.