Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Sophos UTM additional addresses.

Hi, Tony here (sorry the temporary maintenance seems to have created me a new user and not offering me a login!)

I am trying to add an additional IP range to my Sophos UTM. 9.413-4 (Virtual appliance)

I have 6 physical interfaces. 2 of them are external, the other 4 are for local subnets and a phone system.

As part of a comms migration 1 of the external interfaces is with our original provider, the other is patched directly to our new provider. We plan to move services to the new IP addresses by (changing the A record) and interface address in the UTM.

Our current providers external interface allows many different IP addresses to be used in the Webserver protection -> web application firewall.

Our new provider have provided a range of IP Addresses:

SUBNET - X.X.X.16/28
GATEWAY - X.X.X.17/28
USABLE - X.X.X.20 - X.X.X.30

I have setup the new interface with IP address X.X.X.20/28 and gateway of X.X.X.17

I have also added the additional IP's using: Interfaces->Additional Addresses  for X.X.X.20 - X.X.X.30 using /32 for each address setting the interface to match the new one. ( I have also tried using /28 with no change to the outcome)

On changing (the A Record to X.X.X.20) and changing the Webserver Protection -> Web Application Firewall -> Virtual Webserver -> (Intranet)  Interface to "NEWIP X.X.X.20"  I can access the site externally (it is using the new IP address I specified in the interface).

However - 

If I change the Virtual Webserver ->interface to "NEWIP X.X.X.24" ( One of the ADDITIONAL IP Addresses ) I cannot ping or access the site?

It appears none of the additional IP Addresses are responding. 

(IF I edit the new interface IP address to X.X.X.24 I can use that IP. Whatever single IP I specify in the interface works - It doesnt seen to detect and of the additional IP's)

The current provider IP range appears to be setup in the same way and works. I cannot see what rule or setting I have missed? why does traffic flow for the interface specified IP but not the additional IP Addresses?

Can anyone offer any help?

Many thanks,

Best regards,

Tony