Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
Options
Suggested

Allow RED connected network to access Site to Site connection over XG

RegencyBlue

Good Day,

We have a Primary FW with a remote RED Network configured, we also have a site to site connection established with another vendor's FW, this gives us access to their network.

What I am trying to achieve is allowing the remote RED network the ability to access the resources that our current LAN users have access to on the site to site connection. I note also that our FW cannot even ping the location the RED network is trying to access.

Site A - Our LAN (.0 subnet)

Site B - Remote RED Network (.6 subnet)

Site C - Site to Site Network (.168 subnet)

A & B can talk to each other. Similarly A & C can talk to each other.

We would like traffic coming into A from B to able see the C network and vise versa ideally. 

Have played around with a few rules and none of them really done anything.

If anyone can help would be very much appreciated and thank you in advance.



Added TAGs
[edited by: Raphael Alganes at 11:29 AM (GMT -8) on 28 Feb 2025]
  • +1

    Hello,

    normally you would setup ip routes to "see" networks behind a gateway. In this case, your central firewall in site A is the gateway for the users at site B to go to Site C.

    As long as you do not have the ability (it sounds like that) to add an additional route at site C, to tell them how they could reach the networks at site B, this won't work.

    So you could use NAT, to make site C believe, that the packets do come from site A. This would require an SNAT rule.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

    • 0 in reply to PhilippRusch

      Good Morning Phillipp,

      Many Thanks for your reply, I am playing around with an SNAT rule at the moment, the values I have in here at the moment do not seem to be working as my ping attempts from SiteB still get stuck at the gateway of SiteA in their attempt to get to SiteC. Traceroute also shows that packets get dropped at SiteA gateway.

      Am I missing something perhaps?

      Best Regards,

      RB

      • 0 in reply to RegencyBlue

        Hello RB,

        could you give us more details about your IP networks at site A, B and C?

        I mean local IP network and subnet masks.

        Mit freundlichem Gruß, best regards from Germany,

        Philipp Rusch

        New Vision GmbH, Germany
        Sophos Silver-Partner

        If a post solves your question please use the 'Verify Answer' button.

        • 0 in reply to PhilippRusch

          Hello Philipp,

          As it stands our current LAN is 192.168.0.0/24, the RED connection at SiteB is taking 192.168.6.0/24 and the network at SiteC is 192.168.168.0/24. All with standard netmasks.

          The Site to Site connection between A & C involves a NATed Lan, where what SiteC sees as a 192.168.4.0/24 network is translated to 192.168.0.0/24 at our end. I'm thinking this may be why we're having issues. I have asked vendors at SiteC if we can get a separate Site to Site connection directly to SiteB.

          Best regards,

          RB.

      Unfiltered HTML