Sophos UTM connected behind another router

Your SG has a configured def. GW already. Some IF has a GW-entry.

If only one interface points towards the Internet, only this IF should contain the def.GW.

Hello James,

Thank you for contacting the Sophos Community.

Eth1 is the one usually configured as WAN interface, in the UTM, if you want to use eth0 make sure to disable Eth1 if it is already configured, and configure Eth0 as you just did.

Regards,

Thank you guys!

Hi emmosophos 

So I have successful configuration below.

Sophos UTM -->
  Interfaces & Routing:
    Interfaces:
      eth1:

         IP: 192.168.40.2
         Netmask: /24 (255.255.255.0)
         IPv4 Default GW address: 192.168.40.1

  Network Protection:
    NAT:
     Masquerading:
       VPN Pool Custom (10.242.40.0/24) --> eth1 (192.168.40.2).

I have VPN client remote access enabled with custom Virtual IP Pool (10.242.40.0/24). I noticed that when I am connected to VPN client (which gives me ip address 10.242.40.2) and accessing servers to other network, the source of my ip address is 192.168.40.2 and not 10.242.40.2.

Is there any missing and/or wrong settings in my UTM?

Hi James and welcome to the UTM Community!

First, some comments about the UTM culture that will make it easier to get help from this community and Sophos Support.

In general, it's always best to have a public IP on eth1.  If possible, I would put the EdgeRouter Pro in bridge mode to achieve that.

My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve 10.0.0.0/8 for giant multinationals, ISPs, etc.

I also recommend against changing the VPN Pool used unless you have too many remote users to fit in a /24.  As it is, we don't know which remote access method you're using.

Rather than describe your setup, show us pictures of the Edits of your configuration.

Cheers - Bob

Hi Bob,

Thank you for your time and sharing your knowledge with recommendations on this thread for best practice of using internal subnets and reserved network. I really appreciate it :)

Here's how it looks like of my configuration [deleted by mod - please insert pictures directly here]

I am using SSL VPN Remote Access method with custom VPN pool as shown in the picture. So when vpn client users send all traffic over vpn, they will have unique public ip address 230.x.x.20 for some purpose and 203.x.x.21 for the user portal site and ssl vpn.

I have figured out that since I am using NAT Masquerading, this will recognized as my source ip address when accessing internal subnets. What I want to achieve is to be able to show the real source of ip address (SSL VPN pool) when accessing internal subnets. However, when I turned off the NAT Masquerading, I can connect to SSL VPN but I cannot reach the internal subnets. I tried to configure on the Firewall but not successful.

I would appreciate of any advise on how to make this the right configuration.

I opened that link in a sandbox.  It seems to be infected, so I've deleted it from your post.  Please Edit that post, and insert your image(s) into the post. We can't know if that external site is properly protected. The only malware I've gotten in over 15 years was from an external link to a picture in this forum almost 10 years ago.  Thanks in advance!

Show us a picture of the Edit of the SSL VPN Profile.

Cheers - Bob

Hello James,

I have followed-up to your PM.

As mentioned by Bob it would be better if you could post the screenshot instead of the link to avoid any issue. 

For me, it looks like you might be missing a static route in your main router, to send the traffic back when the Masquerading is not in place. 

Regards,