Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 7843 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM inside of another VPN Firewall - How do we make this work?

Mark Davis

I wish to deploy our UTM inside of our existing ASA.  I have many sites connected IPSEC (IKEv2) to our ASA, and all traffic is tunneled from all remote sites to the ASA.  I wish for the UTM to perform its security functions (except Site to Site VPN) on all traffic, including the tunneled remote VPN sites and local LAN.  Diagrams below.  Sophos support tells us that they do not provide deployment assistance, but can help with configuring commands if we know what we want to do.  So, I ask you all:  how can I scan and protect all traffic from all sites on this spoke and hub setup.

Current State:

Future State:



This thread was automatically locked due to age.
Parents
  • +1

    Hi Mark,

    Deploy Sophos UTM in full transparent mode is all what is required here. Refer the KBA here, for the deployment, it is a piece of cake. 

    Support never helps in a deployment scenario this is done by the sales team or the Sophos partner who sold you the appliance. They can help you in the initial deployment.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Sachin,

     

    Thank you for your quick reply.  I am having a couple of conceptual problems with one component of using full transparent mode.  

    1. Clients on remote LANs, which terminate on the ASA, will talk to LAN1 for DNS, but for internet traffic, after receiving the IP resolution, the traffic will then go to the internet through the ASA's outside interface.  In full transparent mode between the LAN1 switch and the ASA, how do we expect the UTM to be able to protect internet traffic that is not passing over the bridge to LAN1?
    2. From my understanding, the transparent modes do have 100% functionality that Standard Proxy mode would have, such as HTTPS inspection, which would be critical to security since some more sophisticated attacks will try to tunnel themselves in https streams, such as command and control attacks, reverse proxies, and such.  What will be unable to take advantage of in the transparent modes?

    Thank you, again.

     

    Mark

  • 0 in reply to Mark Davis

    In regards to your question:

    1) How does traffic flow on the remote LANs for Internet traffic?  Do they go through the VPN and then use the main site's Internet for their Internet or do they have local Internet that they use?  If they do, then you may need to get "creating" with routing to ensure everything goes through the UTM.

    2) With transparent mode and utilizing the transparent proxy, you don't have to do any configuration on the endpoints, it just works.  With standard, you have greater control over what gets allowed/denied Internet, i.e. you can block HTTP/HTTPS for the network and only allow port 8080 for proxy traffic through.  I've always used transparent as it can be easier to do as a drop-in replacement to what is currently there.

  • 0 in reply to Euphrates

    Euphrates and Bob,

    Thank you for your replies.  Bob, we have spent numerous hours talking to our vendor and with Sophos support.  You add the words "existing vpn firewall" and everyone loses their minds.  On top of that, the XG support seems to be a bit of cobbled rubbish, and the documentation worse.

    Yes, the Remote LANs use the Central LAN internet.  I agree about getting creative, but I am seeking advice on how to achieve this.  After chewing on it, I am thinking I might be forced to use Mixed Mode.  In this diagram, I only have to route my existing IPSEC VPN host traffic and the Remote LAN IP networks to the ASA:

    Am I seeing this clearly?

     

    Mark

Reply
  • 0 in reply to Euphrates

    Euphrates and Bob,

    Thank you for your replies.  Bob, we have spent numerous hours talking to our vendor and with Sophos support.  You add the words "existing vpn firewall" and everyone loses their minds.  On top of that, the XG support seems to be a bit of cobbled rubbish, and the documentation worse.

    Yes, the Remote LANs use the Central LAN internet.  I agree about getting creative, but I am seeking advice on how to achieve this.  After chewing on it, I am thinking I might be forced to use Mixed Mode.  In this diagram, I only have to route my existing IPSEC VPN host traffic and the Remote LAN IP networks to the ASA:

    Am I seeing this clearly?

     

    Mark

Children
  • 0 in reply to Mark Davis

    Mark, do you have a UTM or an XG?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    We have SG430 in green field.  We have been trying to make the XG software work, but the software is just a mess.  I can't understand why there are so many hidden features, such as the implicit deny firewall rule, why the reports are limited to dashboard style with no host name resolution, and many more things.  Currently, I am thinking we may revert to the UTM software until the XG team decides to not design the UI for home users.

    Regardless of the OS, it looks like Mixed Mode may be the only way we can protect our remote users who are funneled in to the ASA via IPSEC VPN.  The documentation is bad, so I am assuming that if we configure a LAN/LAN bridge, it will effectively act as a layer two switch, since LAN/WAN bridge is obvious layer 3.

    Mark

  • 0 in reply to Mark Davis

    Mark, you need someone knowledgeable to help you get started.  If your reseller doesn't have those competencies, ask Sophos Sales for recommendations.

    If you're trying to make an SG run with XG subscriptions, then this thread needs to be moved to the appropriate XG forum.  If you're trying to configure UTM 9.4 on an SG, then this is the correct forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML