Hi,
I currently have a deployment with about 40 sites connecting to a data center via internet and MPLS.
Our data center MX is behind a Sophos UTM in one armed concentrator mode.
On the Sophos UTM i created all the firewall rules for the ports, which the MX in dashboard under help -> firewall info is suggesting, but it seems that auto-vpn in automatic mode is not working properly.
I can also see in the logs of the UTM that the MX is trying to communicate over a lot of UDP highports - i guess this is related to the "automatic mode".
However, I'm not a big fan of those "any-any" firewall rules, so i am wondering if there is a recommendation for what ports are needed to be open from the MX to the internet and what ports may be needed to be forwarded from the internet to the MX appliance. i couldn't find any clear statement in the documentation on that.
Thank you.
Best regards
Tobi
Solved! Go to solution.
Here is the info on automatic NAT traversale, which governs how the ports get allocated:
You can also use a manual port forward for AutoVPN traffic - and it sounds like this might be what you would like to do.
While the connection to the VPN registry is easily added to a firewall, in default settings (it's a UDP connection to 2 known IP addresses with dest port 9350), the actual VPN tunnels will be established using random outgoing ports, so it's impossible to limit these in the Sophos firewall.
Therefore you'll be better off manually configuring the NAT traversal so you can add the necessary port forwarding and firewall rules to your Sophos.
See here:
Use manual NAT traversal when:
There is an unfriendly NAT upstream
Stringent firewall rules are in place to control what traffic is allowed to ingress or egress the datacenter
It is important to know which port remote sites will use to communicate with the VPN concentrator
Some other interesting links:
Here is the info on automatic NAT traversale, which governs how the ports get allocated:
You can also use a manual port forward for AutoVPN traffic - and it sounds like this might be what you would like to do.
Thanks for your answers.
i think we'll stick to limit the communication at least to the described UDP port ranges.
The problem with the manual port forwarding is that i can only configure 1 public IP... If we have a outage of the primary ISP in the data center then VPN wil not form over the backup ISP, right?
Thanks
Hmm, that is interesting.
I was just looking at a clients MX, and they have manual port forward configured and have dual WAN circuits. We are using SD-WAN - and the WAN ports are running AutoVPN active/active - and it is working.
One thing of note though is that their WAN2 has a public IP directly on it - so no NAT is required for AutoVPN to WAN2.