This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM interface to connect to on-the-premises router (behind the firewall) with a WAN IP

On this diagram we have several objects to look at

WAN IP = 12.12.12.35

LAN IP of UTM = 8.8.8.8

WAN IP of Router behind firewall = 12.12.12.36

LAN IP of Router behind firewall 8.8.8.4

 

 

How would you configure Port 4 to plug a cable from the UTM to the WAN Port of the Router? 

 

I plan to configure interface X4 = 12.12.12.36/32 proxy-arp enabled

 

now granted if the firewall rules are correct to allow full ip from 12.12.12.36 to get out through the internet to connect to defined router (10.10.10.10)

I think the Utm will see traffic from defined router (10.10.10.10) from any source (port 2 wan 12.12.12.35), permit it to pass to port 4 12.12.12.36.  Transparent traffic ???

In theory this should work right?  

If the router because of vpn tunnel policies didn't need the wan ip configured a nat rule would be sufficient.  

Other alternative create dmz ip for the interface and have the router's wan ip changed to avoid messing up the routing table.



This thread was automatically locked due to age.
Parents
  • I would change the WAN Interface definition to "Ethernet Bridge" and add NIC X4 to it.  Try first without Proxy ARP, but I bet you will need it.

    The alternative is to create a DMZ with a public subnet and to ask your ISP to route traffic to it via 12.12.12.35.  This requires no bridge and no Proxy ARP, but uses a separate Interface definition with an IP in the public subnet of the public DMZ.

    Both approaches require a firewall rule.

    Cheers - Bob
    PS Using the IPs of the Google name servers created cognitive dissonance when I first tried to understand what you wanted to accomplish.  I guessed that you meant IPs in 10.10.10.0/24, but I admit I'm still not clear.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry about the cognitive dissonance, I was trying to use a generic ip to illustrate the nature of the question. 

     

    For the sake of this question let me use different IPs.

    My IP has reserved 12.8.88.34/27 with gateway 12.8.88.33

     

    The router's external ip is 12.8.88.39 and it points all traffic going to my site as a backup in case another router fails.

  • I guess I'm just dense today.  I don't understand the purpose of the internal router with a public IP that communicates through the External interface.  I don't understand why there would be other public IPs between that router's and the UTM's LAN interfaces.  I don't see the .39 IP on your diagram nor any place it could live unless as an Additional Address on the External interface, so there must be yet another router in the topology, or???  What, specifically, does "it points all traffic going to my site as a backup in case another router fails" mean?  What other router where?  Isn't this better handled with Uplink Balancing?

    I guess the real question I have is, "What are you trying to accomplish?"  Instead of trying to hash out the details of your approach, we should be deciding what approach to take first.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Real question is to replace my sonicwall that is working right now.

  • I believe I hijacked the NAT pool question and decided to get off that question and start a new topic, then realized I already have this topic opened so I am back...

    My brain has been hurting since I got a diagram from the datacenter showing this...

    Let's forget Medvpn router, they have a emergency router in the datacenter they can use for now.

    To simplify this, what we know is The firewall will use 10.141.12.86 as the gateway to the datacenter. 

    a show ip nat translation on the Router shows all traffic going to the datacenter using 3 subnets out of the 17 subnets learned.

    On the UTM I add 3 static routes for those 3 subnets to use 10.141.12.86 as the gateway

    Primary physical route is configured

    Datacenter > MPLS > R1 Router > UTM/XG Firewall > LAN

    Primary gateway configured

    Datacenter > HSRP Router > LAN

Reply
  • I believe I hijacked the NAT pool question and decided to get off that question and start a new topic, then realized I already have this topic opened so I am back...

    My brain has been hurting since I got a diagram from the datacenter showing this...

    Let's forget Medvpn router, they have a emergency router in the datacenter they can use for now.

    To simplify this, what we know is The firewall will use 10.141.12.86 as the gateway to the datacenter. 

    a show ip nat translation on the Router shows all traffic going to the datacenter using 3 subnets out of the 17 subnets learned.

    On the UTM I add 3 static routes for those 3 subnets to use 10.141.12.86 as the gateway

    Primary physical route is configured

    Datacenter > MPLS > R1 Router > UTM/XG Firewall > LAN

    Primary gateway configured

    Datacenter > HSRP Router > LAN

Children
  • Datacenter >MPLS > R1 Router to firewall is good

    What about R2 router?

     

    The R2 router goes to another router to the Datacenter

    Full ip show work from external ip of R2 to its host end routers that create the VPN tunnel to give redundancy to the datacenter in case the primary R1 goes down.

  • The R2 router has a internal ip of 10.141.12.84 and its connected to my lan within the firewall.

    The external and public ip is x.x.x.43 and it is connected to the firewall to its own interface.

     

    the firewall has a public ip x.x.x.34

     

    How should R2 be configured to allow full ip to the other routers that create the vpn tunnel for a backup path to the datacenter?