Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 3 answers
  • Subscribers 41 subscribers
  • Views 19107 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Passing through external IPs

Alex Harding1

Hi all,

Hoping I can get pointed in the right direction!

We have an opportunity to provide networking for a managed office, as part of this they want to be able to offer the protection that the XG can do. - That is simple enough and I can create VLANs, Zones, etc. 

The bit that I am struggling with is they have multiple external IPs, which I need to pass through to their customers with no NAT

Let's say they are using 1.1.1.0/28 which is provided by the ISP

Our firewall will be 1.1.1.2 with a GW of 1.1.1.1 (ISP)

Customer A firewall will be 1.1.1.3 with a GW I believe of our XG (1.1.1.2)
Customer B firewall will be 1.1.1.4 with a GW as above and so on.

I need to be able to pass these external IPs through our firewall, skipping NAT and all protection, EG to the customer's device it is an external IP and behaves the same way.

I need to be able to QOS these IPs to the internet package that is chosen and also have the ability to pass the external IPs over a VLAN on our network to the customers end device rather than using a physical port on the XG (again simple enough I guess what I am asking is does the XG supports this)

Cheers! 



This thread was automatically locked due to age.
  • +1

    Hi Alex,

    This should be possible with "Deploy Sophos Firewall in bridge mode"
    doc.sophos.com/.../index.html

    But if possible, i would always prefer routing mode. (needs an additional public IP-range or NAT)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • +1

    Like  says you can use bridge mode. However those devices should point to 1.1.1.1 and not 1.1.1.2 as gateway or it would not work. When passing the IPs over a VLAN instead of over a physical port, I hope you mean to use a VLAN interface on the XG, otherwise you are completely bypassing XG and if traffic does not travel through the XG you also cannot apply QoS.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to dirkkotte

    Ok, if I place the device in bridge mode, I assume I can still create additional Zones and "local Lans".
    Because if I used Routing mode with NAT, the customer would not get a true "external IP" as I understand it?

    Can you give me a bit more information on the additional Public IP-Range, do you mean an additional subnet on top of the subnet provided by the ISP?

  • 0 in reply to apijnappels

    Hi, 
    Yes a VLANNED port on the XG.

    I assume this is what I would do.

    Create the VLAN and Zone on the XG.
    Create a bridge interface on the XG Between Said VLANed Port, Zone, and WAN. 
    Provide the External IP settings to the end customer with the ISP GW
    Create a firewall rule to allow traffic - However, can you let me know what this would look like?

    Would it be "Zone" > WAN ANY and then WAN > "Zone" ANY?

    Cheers

  • +1 in reply to Alex Harding1

    Depending on the name of the zone you give to the bridged connection where the public IP's need to be used you can use those zone names in the firewall. I wouldn't however use the default WAN zone for that, but either DMZ or create a new Zone.

    If you use DMZ you can use a rule where source and destination zone both are configured as DMZ, WAN and services ANY. In that case you only need one rule for both incoming and outgoing traffic.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML