Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Sep 2010
Location: Oxfordshire, United Kingdom
Posts: 26
#1 (permalink)  
Old 07-07-2011, 08:46 AM
Default 2 Astaro RED devices with same Subnet

Hello,

I have a small problem where I have 2 RED devices installed in different locations.
The problem is that the local network in the branch offices (where the RED devices are installed) have the same subnet (192.168.1.x).

After installing the RED devices in these locations, only one will work properly. E.g. the remote site (branch office) can talk to the HQ.

Btw.. I am using Transparent/Split mode on these RED devices.

Is this correct and besides changing the subnet in one branch office, is there another solution?

Thank you,
Raoul.
Reply With Quote
Scott_Klassen's Avatar
Agent of the System
Join Date: Feb 2006
Posts: 4,593
#2 (permalink)  
Old 07-07-2011, 09:04 AM
Default

The only guidance I can find is at:https://support.astaro.com/support/i...on_RED_and_LAN
__________________
ACE/SCA
Sophos UTM 9.3x...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1

Last edited by Scott_Klassen; 07-07-2011 at 09:07 AM.
Reply With Quote
Junior Member
Join Date: Sep 2010
Location: Oxfordshire, United Kingdom
Posts: 26
#3 (permalink)  
Old 07-07-2011, 09:18 AM
Default

Scott,

Thank you for the quick response...

Using the bridge function will this not override the IP addresses in branch offices?

It is critical that I maintain the local subnets in the branch offices.

Raoul
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,058
#4 (permalink)  
Old 07-07-2011, 01:11 PM
Default

I would redo all of your subnetting. 192.168.x.0/24 is commonly used in homes, Internet hotspots and such. If you change one, your problems will begin again when someone connects to remote access from a subnet you're using. Given your size, I'd probably use subnets in 172.16.0.0/12 rather than 10.0.0.0/8.

Cheers - Bob

Sent from my iPhone using Astaro.org
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
tom's Avatar
tom tom is offline
Super Moderator
Join Date: Nov 2000
Location: Heidelberg, Germany
Posts: 1,359
#5 (permalink)  
Old 07-07-2011, 02:20 PM
Default

Hi Raoul,

we do currently not support full NAT (or shadow networking) on the _same_ ASG. The only solution is to hook up one of the REDs to a second ASG and do an 1:1 NAT mapping on its output interface to the other ASG.

/tom
Reply With Quote
SPlischewski's Avatar
Junior Member
Join Date: Dec 2012
Location: Hannover, Germany
Posts: 2
#6 (permalink)  
Old 12-28-2012, 07:56 AM
Default

Here's my scenario:
- 1 headquarter (HQ)
- multiple branch offices, each with identical IP-Range 172.20.0.0/24
- communication is just headquarter <-> remote branch (not branch <-> branch)
- HQ needs to access branch hosts
- branches need to access HQ ressources

As UTM9 supports new types of NAT (Full, 1:1, ...), is it now possible to place RED devices in mutliple remote locations running the same subnet?

If not, is there a work around other than setting up transfer nets in the branches (i.e. Router -> RED -> NAT -> LAN)?

Thanks in advance
__________________
S. Plischewski
Manager Service & Support, System Administrator
AutoMotive Systems GmbH

Running ASG220 UTM9, RED10 v3, AP30

Last edited by SPlischewski; 12-28-2012 at 08:05 AM.
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,058
#7 (permalink)  
Old 12-28-2012, 02:02 PM
Default

Hello, and welcome to the User BB!

I think you've identified the only possible workaround - UTM9 only simplifies what needs to be done at HQ, but it can't solve the problem on the other side of the REDs. Unless you already own NATting routers in the branches that are capable of doing the 1:1-type NAT that UTM9 can do, I bet your most cost-effective solution is to redo the subnetting in your branch offices.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
BrucekConvergent's Avatar
Master of Reality
Join Date: Oct 2005
Location: SC, USA
Posts: 4,837
#8 (permalink)  
Old 12-28-2012, 02:25 PM
Default

The correct answer is what Bob has suggested; you need to change the subnet(s) at one or more of the branch offices; 192.168.1.0/24 and 192.168.0.0/24 are very bad choices for business / corporate network addressing.

Working around it will only create future headaches.
__________________
Convergent Information Security Solutions, LLC
Sophos Platinum Solution Partner
Reply With Quote
SPlischewski's Avatar
Junior Member
Join Date: Dec 2012
Location: Hannover, Germany
Posts: 2
#9 (permalink)  
Old 12-28-2012, 02:45 PM
Default

Unfortunately, restructurizing the IP-Ranges is not an option

My workaround will be as mentioned to place an nat box between RED and LAN, creating a transfer network which will be unique to each branch. Through the nat, the IPs will than be mapped to the appropriate hosts in the branch LAN.

Thanks anyways, I'll keep tuned
__________________
S. Plischewski
Manager Service & Support, System Administrator
AutoMotive Systems GmbH

Running ASG220 UTM9, RED10 v3, AP30
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 12:36 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.