Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 8 subscribers
  • Views 1945 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static Route zwischen WatchGuard und Sophos XG

Florian Mueller1

Hallo zusammen,

ich habe vor kurzem eine WatchGuard Firewall installiert und die zuvor bestehende Sophos XG als Management Gerät für die AccessPoints an das alte Subnetz angeschlossen.

Zuvor war nur die Sophos als Hauptfirewall an dem Standort, nun ist die WatchGuard die Hauptfirewall und die Sophos dient nur für die Verbindung für die Sophos AccessPoints.

Aktuell ist es so, dass die WLAN Clients und die Sophos keine Internetverbindung über die WatchGuard aufbauen können. Daher möchte ich eine Route auf der WatchGuard und auf der Sophos erstellen, sodass die Sophos APs und die WLAN Clients über die WatchGuard auch eine Verbindung untereinander haben.

Wie muss ich den die Route auf der Sophos und der Watchguard konfigurieren, damit das 192.168.99.x Netz auch über den WAN Port der WatchGuard raus ins Internet könnnen?

Zudem möchte ich das bestehende Netz 192.168.99.x/24 für Gäste Wlan getrennt vom produktiven Netz 10.10.1.x/24 bestehend lassen und eine zweite SSID Verbindung für das produktive Netz 10.10.1.x erstellen.

Wie muss hier die Konfiguration auf beiden Firewalls eingerichtet werden damit dies funktioniert?

Muss ich eine standard Route auf beiden Firewalls erstellen und dann noch eine Firewall Regel auf beiden Seiten. Wie genau sieht hier die Konfiguration aus?

Besten Dank vorab für die Unterstützung.

Grüsse



This thread was automatically locked due to age.
  • 0

    Hello Florian,

    Thanks for reaching out to Sophos Community.

    Could you confirm what IP does the Sophos Firewall has on this interface? is the zone configured here WAN or LAN? If this is WAN I suspect traffic from 192.168.99.x/24 network is being NATed/Masq going out to SF Interface IP-> Network switch-> to Watchguard. If this is the setup kindly confirm that WG has policy allowed for the WAN IP of the Sophos Firewall. 

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hello Raphael,

    Thanks for your fast reply and help! Sorry i made a mistake. The configured Port on the Sophos is on Port 1 LAN interface.

    With that port it reaches the switch with the sophos interface ip 192.168.99.1 IP.

    From the WatchGuard FW I am able to ping the 192.168.99.1 Sophos Interface IP.

    Do I need to setup a static route on both sides to get access from the Sophos Network to the WG WAN Interface?

  • 0 in reply to Florian Mueller1

    Hello Florian,

    Thanks for the details. From the AP clients connected to SF, are you able to ping WG interface 192.168.99.2? What is the default gateway/DNS settings set for the AP clients? Is the Interface where AP is connected to SF bridged to where Sophos Firewall connected to WG? 

    Could you also confirm if there's a policy configured on Watchguard to allow internet access from network 192.168.99.x?  and NAT configuration on Watchguard from 192.168.99.x -> AnyExternal or AnyTrusted->AnyExternal

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hello Raphael,

    Thanks for the input. Currently I am not on-site for test wie a wireless client connected to the SF AP.

    But from the sophos FW I can make a ping to the 192.168.99.2 WG IP.

    The default GW/DNS for the AP Clients is both 192.168.99.1. Should I change the Gateway and DNS to 192.168.99.2 for the AP clients?

    Also I want for some clients from the 10.44.105.x subnet, that they are able to reach the sophos interface on 192.168.99.1. As on the sophos is also a smtp relay configured which the printers used to send mails via scanning.

    For that I guess I need a route to configure on both Firewalls to reach the 192.168.99.x subnet, or?

    Thanks for your help in advance!

  • 0 in reply to Raphael Alganes

    And I just created a policy on the Watchguard to allow http/https from the 192.168.99.x subnet.
    Also Dynamic NAT was preconfigured on the Watchguard with

    192.168.0.0/16 Any-External  
    172.16.0.0/12 Any-External  
    10.0.0.0/8 Any-External
  • 0

    I already tried to create a static route on the sophos fw to get access to the 10.44.105.x network. But which gateway address do I have to use?

    If I try 192.168.99.1 and the LAN interface with that subnet, I get the message "Gateway IP address must be different from interface IP address"

  • 0 in reply to Florian Mueller1

    Hello Florian, 

    Could you confirm which network is 10.44.105.x on the given diagram? Gateway settings should be IP address of the next hop or gateway/router to the destination and should not be with the same subnet of your exit interface

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hello Raphael,

    The 10.44.105.x network is on the diagram the 10.10.1.x . Sorry I used a old screenshot of the diagram. Instead 10.10.1.x it is the 10.44.105.x network which I tried to add a route.

    So the gateway IP in this case should be the 10.44.105.1 IP or which would be the next hop in this case?

    Thanks and regards,

    Florian

  • +1 in reply to Florian Mueller1

    Hello Florian, 

    Thanks for your response.

    Way I'm seeing it is your Sophos Firewall interface/Port2 LAN with IP network 192.168.99.0/24 and the one connected directly to the Cisco switch is on bridge mode and the Cisco Switch is directly connected to Watchguard Port3LAN with IP 192.168.99.2

    So, if you want the AP network 192.168.99.0/24 to have internet access, the Default Gateway of clients should be 192.168.99.2 (WG Port3 LAN), with DNS that can resolve and with FW policy on WG that allows outbound traffic.

    a bridge interface on SF that are on both LAN zone should be unable to have a Default Gateway (Kindly see the gateway field that is grayed out when creating a bridge interface) so that being, the WG should be the DG of the clients on the network 192.168.99.0/24

    With regards to 192.168.99.0 reaching the network 10.44.105.0 , A static route is likely unnecessary since they are directly connected networks on WatchGuard. What you need is to configure a Firewall policy in WatchGuard that allows access to 192.168.99.0 -> 10.44.105.0 and also 10.44.105.0 -> 192.168.99.0

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML