Hello, I have Sophos UTM9 in 3 sites, every one have a WAN interface and VPN MPLS, i need to configure the appliance to send traffic to a specific IP in the head office using the VPN MPLS route, and the other traffic via the IPSEC Tunnel established with the WAN interface, i have in the head office a Sophos XG and when i look to tcpdump for incoming traffic, i see that is using the IPSEC tunnel and not the SNAT rule that send in the VPN MPLS. Note: I use NAT to distinguish between traffic coming via VPN MPLS and IPSEC VPN so here is the policy that i should configure: 1: In remote site: If source IP is 172.16.1.0/24(remote office subnet), And destination is 10.10.10.42/32 (server in the head office), then send apply SNTA 172.16.1.0/24 -> 192.168.1.0/24 and forward it to VPN MPLS router In the head office: the VPN MPLS (10.10.10.4) is located in the LAN so the destination IP 10.10.10.42 is directly connected, he send the traffic to it and when the server replay he send the traffic to the GW sophos XG 10.10.10.10, in sophos XG i added a static route to 192.168.1.0/24 to send it to the VPN MPLS router (10.10.10.4) and i added an firewall baypass for the server address because this is an asymmetric route. 2: in remote site: if source IP 172.16.1.0/24 and destination 10.10.10.0/24 then send it via IPsec tunnel When i look in tcpdump in XG firewall, i see ipsec0 interface traffic coming from 172.16.1.0/24, but nothing from 192.168.1.0/24 (the nated subnet)
↧