Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Access to the local subnet from the WAN interface (NAT RULE?)

Hello everyone!

I have 2 SOPHOS firewalls in two different buildings, connected by Long Range Aerials (point to point).

FIREWALL 1 is configured like this:

LAN  192.168.122.X         (Aerial 1 is part of this DHCP pool)

WAN  public IPs  (static)

then FIREWALL 2 is configured like this:

LAN 192.168.111.X 

WAN 192.168.122.X     (DHCP from FIREWALL1 LAN ZONE) 

I need to grant access to the subnet 192.168.111.X  by all the devices connected to the Firewall 1 LAN ZONE 192.168.122.X.

Which one is the best practice for this situation? At the moment i granted a RDP access to a specific host in the LAN 111  by using a NAT RULE.

But what if i need to access the whole subnet instead of a specific host?

Thank you in advance.

Matteo



Edited TAGs
[edited by: Erick Jan at 7:30 AM (GMT -7) on 7 Jun 2024]
Parents
  • Hi Matteo,

    first of all I would suggest not to connect a router (FW2) behind a client network.

    create a new transfer/transit subnet for the connection between FW1 and FW2 (otherwise you may get asymmetric routing)

    but also possible:
    however you can add a route via FW2 to any 192.168.122.x device to reach the 192.168.111.x subnet directly


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks for you answer.

    Nowadays something changed:

    FIREWALL 1 is configured like this:

    LAN  192.168.122.X         (Aerial 1 is part of this DHCP pool)

    FIREWALL 2  has the aerial connected directly to a port, configured as another LAN zone, with a static IP from the FIREWALL 1 range.

    Could i make them communicate with each other via firewall rules or, as you said before, better make a transit subnet?

    Can you make an example? Thanks.

  • please provide a short network sketch ...


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply Children