Ok this is tricky to describe:
Sophos XG firewall at 192.168.1.251 - Has static route to 192.168.3.X network via 192.168.1.253 router
Server A at 192.168.1.17 - Has default route of 192.168.1.251, Has no static routes defined
Sophos UTM firewall at 192.168.1.252 - Has static route to 192.168.3.X networks via 192.168.1.253
Cisco Router at 192.168.1.253 and 192.168.3.253 - Has 192.168.3.X network as a vlan with, Has 192.168.1.252 as default router, has routing enabled to route between subnets
Workstation A at 192.168.3.65 and default gateway of 192.168.3.253
Situation is that Server A can initiate contact with Workstation A, but Workstation A cannot initiate contact with Server A
When I review the XG log it shows that traffic from 192.168.1.17 to 192.168.3.65 is being blocked as invalid traffic with message of "could not Associate Packet to any connection". From what I can tell this is that because Server A is sending the traffic back through the XG firewall and the XG firewall is not seeing the workstations initial Packet as it's coming directly from the Router at 192.168.1.253.
I know I can "fix" this by adding a Static route to the Server A "Route add 192.168.3.0 MASK 255.255.255.0 192.168.1.253" but that is kind of messy and I would rather handle with the routers.
You might wonder why I have this config and it's because we are transitioning from the UTM firewall to the XG and some servers are connecting to the Internet via the XG firewall and some still via the UTM firewall.
Any way to make this work other than adding the static routes to the servers? Maybe some way to tell the XG to quit acting like a stateful router for the traffic between those subnets?
This thread was automatically locked due to age.
