Site to site IPSEC Tunnel and User Defined Firewall rules

Hi All,

Currnelty Running a UTM Version 9.7115-5.   I've added some associate company sites to a Site-To-Site IPSSEC tunnel.

We have the tunnel established and running fine with the "automatic Firewall Rules...  However.....

1. Id' like to restrict the traffic from the other site to only hit a few of the servers in my subnet and not every IP address in my subnet.   (Trying to limit virus exposure potential, and network scans, and restrict the other site to just the IP's on my site i want to allow. )..  

I thought this would be easy, but it's not working.   

A: In my site to site IPSEC tunnel I disabled the Automatic Firewall rule, checkmark then

B. Went to Network Services > Firewall  and made an allowed rule from their Network  to the specific IP address Hosts i my subnet   i want to allow.  

C. Went to Network Services > Firewall and made a Drop Rule from their network to my internal network.   (Hoping to drop any traffic that is not for rule B.)

D.  Went to Network Services > Firewall and made an allow rule to allow any of my pc's to their network..   (So i can get to IP address's on their network.)

THe problem is when i  enabled all the rules, i can still Ping traffic from any of my local ip address.. The restriction is not working... As a matter of fact even without any rules, or just the drop rule enalbed (Their network to our network)  traffic is still allowed to flow though the site to site tunnel... It appears to me as if the firewall rule isn't being used at all... (What should the respose be with no firewall rules?)

  • If you only want the other side to reach "grndata" & ?GRNDC3" & "Gmqad1" instead of everything, just replace "Internal (Network)" in 'Local Networks' in your IPsec Connection with those three Host definitions.  Of course, then none of the other devices in your LAN could reach the GBBI LANs.

    Like Amodin says, #2 in Rulz will give you the knowledge to accomplish what you want with firewall rules.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This ended up working for me...  I did study the Rulz, which helped.   The hard part about the rulz, is then knowing where to go in the UTM to check them, but knowing the order of evaluation helped, and especially that ping traffic has a higher level bypass.  (Of which i had enabled.)  Thank You!

Reply Children
No Data