5 Years ago we merged 2 companies each with its own network and different software applications for external clients to access. Company A has a Sophos UTM 9 firewall with the inside LAN on 10.200.80.0/24, and Company B has a Cisco ASA 5510 with the inside LAN on 172.20.1.0/24. Both have VPN connections going to their respective networks.

Because the ASA 5510 went End Of Life last year, I am in the process of trying to move all of our VPN connections from the ASA to our Sophos firewall on the COMPANY A network. Until now, I have kept the COMPANY A and COMPANY B networks separate. Our plan is to utilize an unused interface on the Sophos firewall to connect to the COMPANY B network and have all the VPN connections go through the Sophos without readdressing the COMPANY B network. ASA internal LAN interface and Sophos internal COMPANY B interface are connected to the same non-managed switch on the COMPANY B network.

The problem I am running into appears to be routing in the ASA. I can bring up a VPN tunnel on the Sophos pointed to the COMPANY B network, but cannot get traffic to pass.

I have tried setting a static route in the ASA directing all traffic destined for my test network (172.20.91.0) through the Sophos interface (172.20.1.6). If I set a static route in one of the COMPANY B terminal servers (route add 172.20.91.0 mask 255.255.255.0 172.20.1.6) I can log into that terminal server through the VPN from my test network to the Sophos. I was expecting to be able to put that static route in the ASA for each remote network as they are moved since the ASA inside interface (172.20.1.10) is currently the default gateway for all the COMPANY B servers.

I have entered the command “same-security-traffic permit intra-interface” in the ASA with no luck.

Am I missing something simple like a rule or something that I need to add to the ASA? Once I remove all of the VPNs from the ASA, I will just change the default gateway on all the COMPANY B servers to point to the Sophos.