Site to site IPSEC Tunnel and User Defined Firewall rules

Hi All,

Currnelty Running a UTM Version 9.7115-5.   I've added some associate company sites to a Site-To-Site IPSSEC tunnel.

We have the tunnel established and running fine with the "automatic Firewall Rules...  However.....

1. Id' like to restrict the traffic from the other site to only hit a few of the servers in my subnet and not every IP address in my subnet.   (Trying to limit virus exposure potential, and network scans, and restrict the other site to just the IP's on my site i want to allow. )..  

I thought this would be easy, but it's not working.   

A: In my site to site IPSEC tunnel I disabled the Automatic Firewall rule, checkmark then

B. Went to Network Services > Firewall  and made an allowed rule from their Network  to the specific IP address Hosts i my subnet   i want to allow.  

C. Went to Network Services > Firewall and made a Drop Rule from their network to my internal network.   (Hoping to drop any traffic that is not for rule B.)

D.  Went to Network Services > Firewall and made an allow rule to allow any of my pc's to their network..   (So i can get to IP address's on their network.)

THe problem is when i  enabled all the rules, i can still Ping traffic from any of my local ip address.. The restriction is not working... As a matter of fact even without any rules, or just the drop rule enalbed (Their network to our network)  traffic is still allowed to flow though the site to site tunnel... It appears to me as if the firewall rule isn't being used at all... (What should the respose be with no firewall rules?)

  • I think Rule #2 in Rulz would be something to look over if you haven't done so. If you have ICMP enabled, it will allow it before you ever apply any IPS ruleset. 

    UTM - 9.713-19 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • If you only want the other side to reach "grndata" & ?GRNDC3" & "Gmqad1" instead of everything, just replace "Internal (Network)" in 'Local Networks' in your IPsec Connection with those three Host definitions.  Of course, then none of the other devices in your LAN could reach the GBBI LANs.

    Like Amodin says, #2 in Rulz will give you the knowledge to accomplish what you want with firewall rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • As i was working on this, it was the ICMP Ping that kept going, and which violated the rules i had in place.. When i tried with source and from sites directly to the host (with non-ping traffic), ie UNC file paths, the firewall did indeed stop the UDP/TCP traffic.    (I spent way longer banging my head when i should have just tried some different /  non-ping traffic.)     Thank you!

  • This ended up working for me...  I did study the Rulz, which helped.   The hard part about the rulz, is then knowing where to go in the UTM to check them, but knowing the order of evaluation helped, and especially that ping traffic has a higher level bypass.  (Of which i had enabled.)  Thank You!