Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing all traffic from an external network into the internal network

Hi,

We have an issue that I need to resolve and I am unsure of how to get this to work.

Scenario:

2 schools need to connect their networks via a backbone provided by Virgin. The backbone provided has a Cisco firewall at each end. School 1 has an IP range of 10.137.x.x and School 2 has an IP range of 10.136.x.x. If I connect directly to the Cisco firewall everything works fine.

The issue however is that School 1s internal network range is 192.168.x.x. This means that all traffic that comes from School 2 needs to be routed through to School 1s IP range of 10.137.x.x and then routed again to the actual internal range of 192.168.x.x.

Everything should be able to access everything across the 2 schools.

This I do not know how to do.

Steps I have taken:

I have connected School 1s Sophos xg135 directly to the Cisco firewall. I have configured a WAN network(named interconnect) and assigned it an IP of 10.137.x.x with the gateway of the Cisco router. I have then created an SD-WAN route for all internal traffic that is trying to reach the IP range of 10.136.x.x (school 2) to divert all traffic through WAN network interconnect.

I can ping a device from 192.168.x.x(school 1) to 10.136.x.x(school 2)

I cannot connect from school 1 to school 2 with any other method

I cannot ping from 10.137.x.x (school 1 WAN) to  192.168.x.x (school 1 private)

I can ping and have full access between 10.137.x.x (school 1) and 10.136.x.x (school 2)

Help:

How do I get the schools to connect seamlessly from School 1 to School 2 and visa versa?



This thread was automatically locked due to age.
  • Hello Warren,

    Thanks for reaching out to Sophos Community.

    Could you share a network diagram for this setup? And kindly share your routing configuration on your Firewall and Cisco Router?

    Also, does School2 has Sophos Firewall behind the Cisco router? and does the Cisco Router do NAT?

    Looking forward to your response. Have a nice day and thank you for choosing Sophos. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Raphael,

    I have managed to get outbound working now. I've managed to hit school2 via smb and receive a login prompt. The provider has also sent me a pcap showing a successful connection. The issue was NAT.

    School2 does not have any firewall apart from the Cisco firewall which manages the 10.136.x.x range. Is there any way at all of getting them to initiate traffic to our internal 192.168.x.x range without natting every single IP?

    Thanks,

    Warren

  • A simpler overview is we have two networks. These two networks need to communicate with each other with any traffic.

    Traffic flow would be 192.168.X.X(My subnet) -> 10.137.212.2(WAN gateway on XG) -> 10.136.X.X (Their network)

    I have got this working. I have not got working the below.

    10.137.X.X(WAN Subnet) -> 192.168.X.X(My subnet)

    If I get the above working, the full return path below will work.

    10.136.X.X (Their network) -> 10.137.212.2(WAN gateway on XG) -> 192.168.X.X(My subnet)  

  • Hello Warren, 

    Thanks for taking the time to update. To confirm, what doesn't work is when School2 tries to connect to end machines on School1? If yes, could you share a traceroute result from a School2 end machine going to an end machine at School1? Would it be possible for you to provide a network diagram for this? 

    Further, are both Cisco Routers/Firewalls on both Schools does NATing? Would you also be able to share with us NAT and route configurations from your Sophos Firewall and Cisco Routers? 

    Thanks,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi, from the Cisco at school 2 (10.136.x.x) there should be a route for the 192.168.x.x subnet routing to 10.137.212.2.

    Also on the 10.137.x.x network if you need to connect from that to 192.168.x.x you will also need a route on the Cisco for 10.137.x.x for 192.168.x.x via 10.137.212.2

    And in the Sophos firewall you need to allow traffic coming from the 10.137.x.x (and 10.136.x.x (or use CIDR 10.136.0.0/15)) to 192.168.x.x.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you both for your input on the matter.It turns out that I had everything set up correctly, but it would never work due to the limitations of the 3rd party. They block all 192 traffic, so I was chasing a dead end. I am going down the route of changing our internal network scheme to get this to work.

    Thank you both for putting the time in to help resolve my issue. It is really appreciated.