Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 4 subscribers
  • Views 17509 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing in UTM 2 UTM tunnel

ThomasRottig

Hi,


I have followed this post www.sophos.com/.../120157.aspx to setup an UTM 2 UTM tunnel.

I have setup the static routing and the firewall rules.

In principal it works fine, the tunnel is up, I can reach websites on the other network, I can even RDP to clients.

Unfortunatly not all is working yet  - i can't use ssh or smb or even ping from clients on net A to clients on Net B (but as I said RDP & http/s works from client to client).

i.e.
I am able to ping the remote UTM (B_UTM) from client A_1

I am able to ping client B_1 from UTM A_UTM (Using tools in the menu) (and vice versa)

I am able to access a website hosted on client B_1 from client A_1.

I am not able to ping client B_1 from client A_1. (yes ping forward is active on both UTMs)

I am not able to use smb hosted on client B_1 from client A_1.

I am able to RDP to client B_2 from client A_1 (cant test ping atm, client has been turned off)


From a routing point of view this should work - UTM_A is the default GW for Net_A, it has an active route via interface redc1 to UTM_B (and vice versa) and net_B is the primary net of UTM_B (with active route pointing to eth0) and UTM_B is the default gw for Net_B

The only weird thing I noticed is that the successfull web requests to client B_1 where originated from the Remote UTMs tunnel interface instead of the actual client A_1 IP.

I am quite lost here, I dont see anything why it wouldnt work :/




This thread was automatically locked due to age.
  • 0

    Does #1 in Rulz give you any clue?

    Cheers - Bob

    PS Moving this from VPN to RED forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    I will check, thanks for the pointer :)

    Edit: Wasnt sure if it was Red or Site2Site thats why it ended up there;)

  • 0 in reply to ThomasRottig
    So i have checked the various logfiles, no entries.

    I have then moved on to 3 and checked my definitions (and indeed found a single bound network which i removed the binding from), moved then to 3.1 and added a masq. entry from internal network on my redc1/s1 interface - still no luck.
  • 0 in reply to ThomasRottig
    Requiring a masq rule for an Internal or RED interface is a sign of a violation of #3 or #3.1. It sounds like you've already checked all of your Host/Network definitions for #3, so you can disable the masq rule(s) on the Internal & RED interface(s). Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Well there was no success without the masq rules and none with them, so i have by now removed them again - no difference.
    I am quite suprised that RDP is routed properly though and SSH or smb/cifs traffic is not; but i am not knowledgeable enough in protocol routing to really understand it.
  • 0 in reply to ThomasRottig
    Ok, lets put it differently - if I follow the guide mentioned above to connect 2 sites - is there anything else that needs to be done besides firewall rules and gateway routing definition to enable all clients on UTM_A to talk to clients on UTM_B ?
  • 0 in reply to ThomasRottig
    That should work, Thomas. I guess we're down to having to look at your configuration. Please click on 'Use rich formatting' and insert pictures of each item open in Edit.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sorry to be a bother :/

    I assume routing is the main focus here as the tunnel is up& running? Let me know if you need more details/screenshots

    Client Side network is 192.168.124.0/22, Tunnel Endpoint IP is 192.168.119.2

    Server Side network is 192.168.120.0/24, Tunnel Endpoint IP is 192.168.119.1

    This is client side:


    Server Side

    I have tested Firewall with Any Any Any on both sides, no difference, so i dont think thats it...

  • 0 in reply to ThomasRottig
    Routing is not the problem, that's all perfect. After seeing that, I made myself a diagram and listed graphically what works and what doesn't work.

    I think you missed something in the Firewall log though. Fire up the Firewall Live Log on both UTMs and then try pinging B_1 from A_1. "Any" only includes TCP and UDP, not ICMP, etc. - for example, you will need a firewall rule in UTM-B allowing pings from the A subnet to devices in the B subnet.

    The SMB share is probably a setting in B_1 requiring all accesses to come from inside its subnet.

    Please share your results.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    You were almost right :)
    I had checked the firewall logs already, nothing showed up in there while trying ping tests nor cifs/shh.
    But when I explicitly added cifs/ssh (in addtion to <any> service) I saw that the inbound packages were sent with a wrong source IP which I then could trace to a SNAT rule on client side (which is behind an internet router).
    As soon as I removed that SNAT rule to the target systems things started to work (still no ping but thats not really needed).

    Thank you very very much - i dont think I would have found that without your help:)

Unfiltered HTML