This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using Policy Routes to Route Services Through RED Tunnel

I have a challenge.  My job has two locations and manages UTM appliances for clients using the SUM.  The client UTM appliances are configured only to allow WebAdmin requests coming from the public IP of the main office.

To accomplish this, I have created a RED tunnel between the main office and branch office.  The tunnel works beautifully.  I have also added the necessary firewall rules and masquerading rules to allow the branch office to access the internet using the public IP of the main office.  Currently, the static routs are configured only to route traffic destined for the corporate network through the tunnel and internet traffic goes out through the branch office's WAN connection.

The idea is to have a split tunnel, but have any traffic destined for port 4444 on a public network route through the tunnel.  I have configured a policy route on the branch UTM as follows.

Type: Gateway Route

Source Interface: Any

Source Network: Internal (LAN)

Service: WebAdmin

Destination Network: Internet IPv4

Gateway: IP of RED Interface on main office UTM

It looks like the policy route is working, but the traffic dies at the main office UTM.  I ave checked the firewall rules and confirm they allow internet access from the branch office.   COnfirmed that the proper masquerading rules are in place.  I can't seem to get this to work properly.



This thread was automatically locked due to age.
  • Nick, there's not enough detail to be certain, but I think this is a routing problem at the main office.  If you already have a masq rule there, then it may not be the one you want.  Please show us pictures from the main office UTM of Edits of the RED configuration, the Policy Route, the Host/Network definitions included and the masq rule.

    If you try from the SUM in the main office, can it connect to WebAdmin at the client sites?

    Cheers - Bob

    PS I've moved this to the RED forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the reply Bob.  When in the office, I have no problems accessing WebAdmin at client sites from the SUM.  Please see my configuration below.

    This is the interface for the RED on the office UTM.  It is currently turned off because it doesn't work as needed.

    Below is the static route on the office UTM.  The network definition Nick-Home-Office is 172.16.0.0/24

    Firewall rule on the office UTM.  I configured this to allow my home network access to the office network, but not allow the office network access to the home network.  Office network resources are still available.

    Masquerading rules on office UTM:

    RED interface on my home UTM.  Again, this is turned off because it's broken.

    Static route on home UTM.  BMB network definition is 192.168.20.0/24

    Policy Route on home UTM.  Network definition for BMB-RED Gateway is 10.30.30.1

    Firewall rule on home UTM

  • Thanks, Nick - my initial assumption was that you were using a RED device instead of another UTM.  Let's test with a masq rule to see if things work with it.  If so, that will prove it's a routing problem.

    Nick-Home-Office -> Nick-RED

    Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob.  Unfortunately, that didn't do the trick.  I tired having the masq rule by itself and in addition to Nick-RED > Optimum Ultra.

  • Hi Nick,

    I am a bit confused but, if you configure that Policy route then it will send the traffic OUT NATed with the RED interface IP. It will not NAT it with the public IP address. I may be wrong had a sleepless night. Any help?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Nick, please show a picture of the Edit of the rule that didn't work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • , Unfortunately, that didn't help.  It does make sense since the policy route sends traffic to RED interface.