This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED 15 on the same subnet as UTM internal network?

Hi,

I'm trying to setup a RED 15 at a remote location, which should connect to our main office network behind a Sophos UTM 9.5. I followed the instructions here https://community.sophos.com/kb/en-us/116573 to setup a Standard/Unified tunnel and it mostly works. The problem I have is with our Alcatel-Lucent PBX, which will not communicate outside of it's subnet. Since the RED and it's clients are in a different subnet (as per instructions) than our internal network, the PBX will not respond to any request from these PCs or phones. Unfortunatly I can't change anything in the PBX, so I have to figure out how to configure RED/UTM get this to work.

I tried using the DHCP-Relay function (to internal Windows Server), which only works if RED has an IP within our main subnet. I'm able to get IP addresses for client behind the RED, but can't communicate at all. Can't even ping the DHCP Server which issued the IP. The FW rules were left as in the instructions (RED->Any->Any).

I have not tried bridging RED with our internal network as that's seems to be a pretty big deal and could cause too much downtime. I'd have to nuke our "Internal" interface, setup the bridge and then recreate/reapply all our FW/NAT/Masquerading/VPN etc. rules and settings, unless there is a better way?

Any ideas how I can get clients behind RED on the same subnet, or at least "appear to be" on the same subnet as our main network?

Thanks



This thread was automatically locked due to age.
  • Your PBX might not have a (correct) gateway configured and therefore might not be able to correctly route to the RED location.

    If that is the case, it will only be possible for it to operate in its own subnet and that requires you to bridge your RED with your internal subnet.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I took a look at the traffic going in and out of the PBX. If I ping it from our internal network I can see the packets going in and replies out of the PBX. If I ping from behind the RED or even from a VPN client (both in different subnets) I can see the packets coming in, but no replies coming out of the PBX. The PBX just ignores the pings.

  • If your PBX has no (or an incorrect) default gateway, it wil not know where to send back replies and will not send any whenever the destination is outside its own subnet. If you cannot adjust this on the PBX, then there's really not much you can do other than getting the "remote" systems local. A bridged RED network logically does this.

    You will still need to create a firewall rule in that case to allow traffic from Internal (Network) to Internal (Network) since otherwise this traffic is not allowed to pass the UTM.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi,

    thanks! I got in touch with our PBX support and it seems you're right. The gateway address is configured to it's own IP. Now I'm just waiting for them to fix it and I'll give it another try. Unfortunatly I can't administer the PBX myself.