This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM additional addresses.

Hi, Tony here (sorry the temporary maintenance seems to have created me a new user and not offering me a login!)

I am trying to add an additional IP range to my Sophos UTM. 9.413-4 (Virtual appliance)

I have 6 physical interfaces. 2 of them are external, the other 4 are for local subnets and a phone system.

As part of a comms migration 1 of the external interfaces is with our original provider, the other is patched directly to our new provider. We plan to move services to the new IP addresses by (changing the A record) and interface address in the UTM.

Our current providers external interface allows many different IP addresses to be used in the Webserver protection -> web application firewall.

Our new provider have provided a range of IP Addresses:

SUBNET - X.X.X.16/28
GATEWAY - X.X.X.17/28
USABLE - X.X.X.20 - X.X.X.30

I have setup the new interface with IP address X.X.X.20/28 and gateway of X.X.X.17

I have also added the additional IP's using: Interfaces->Additional Addresses  for X.X.X.20 - X.X.X.30 using /32 for each address setting the interface to match the new one. ( I have also tried using /28 with no change to the outcome)

On changing (the A Record to X.X.X.20) and changing the Webserver Protection -> Web Application Firewall -> Virtual Webserver -> (Intranet)  Interface to "NEWIP X.X.X.20"  I can access the site externally (it is using the new IP address I specified in the interface).

However - 

If I change the Virtual Webserver ->interface to "NEWIP X.X.X.24" ( One of the ADDITIONAL IP Addresses ) I cannot ping or access the site?

It appears none of the additional IP Addresses are responding. 

(IF I edit the new interface IP address to X.X.X.24 I can use that IP. Whatever single IP I specify in the interface works - It doesnt seen to detect and of the additional IP's)

The current provider IP range appears to be setup in the same way and works. I cannot see what rule or setting I have missed? why does traffic flow for the interface specified IP but not the additional IP Addresses?

Can anyone offer any help?

Many thanks,

Best regards,

Tony



This thread was automatically locked due to age.
Parents
  • Did you select the correct interface (with the Address extension):


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you for the reply. Yes I selected the new additional IP in the Interface dropdown.

    If I set it to the SAME IP as the new interface X.X.X.20 it works, (Obviously I have to change the A Record on the domain)

    I can ping the interface main IP X.X.X.20 but not any of the other addresses.

    Do I need any additional firewall rules for the new Ip addresses to work?

  • It shouldn't be necessary. Maybe you can ask the ISP if everything is setup correctly on their site but I don't see why this wouldn't work.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • It shouldn't be necessary. Maybe you can ask the ISP if everything is setup correctly on their site but I don't see why this wouldn't work.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • many thanks for your fast reply. I have raised the question with our ISP to check out the range configuration. I will reply hopefully with a solution as I get it. Slight smile

  • Agreed with apijnappels, Tony - this is a routing problem that your ISP needs to resolve.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi, 

    Many thanks to everyone for their help.

    I am not much further forward, the ISP cannot see any issues and have asked me to carry out a few tests - I suspect the problem is UTM related as -

    I patched a windows laptop directly to the same port in the router (in place of the UTM interface) and fixed the IP address and gateway. I am able to ping whatever IP address I fix the network card to? this works for X.X.X.20 and X.X.X.24 (no doubt the whole range) therefore traffic is getting to its destination?

    I think the problem relates to the configuration of additional addresses on the interface. (but there is very little to configure!)

    Am I right in accepting the IP addresses are responding/setup correctly and my problem must be UTM routing related?

    Any further suggestions/advice greatly appreciated.

    Many thanks

    Tony