Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 29 subscribers
  • Views 26112 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - setup. users can vpn in, but can't reach Local LAN.

David Harrison1

Good morning all, 

I have an XG 125 (fw 17.0.5 MR-5) with the total protect bundle.

I'm trying to setup the SSL VPN for user remote access, and following these guides exactly.

 

https://community.sophos.com/kb/en-us/122769

Also checked this one, which is pretty much the same.

https://shred086.wordpress.com/2017/12/06/setting-up-ssl-vpn-access-to-lan/

Also tried the trouble shooting guide.

https://community.sophos.com/kb/en-us/127189

 

Basically, I can create the VPN connection, just can't see anything on our internal LAN.

Pings, tracerts, intranet pages, nmap.. nothing from the LAN responds.

 

I'm guessing there is a problem with the FW rule as I'm getting connected OK, just the traffic isn't routing over to the LAN.

 

Firewall rule

Rule

Apply "None" app filter, "None" web filter, for "DL_VPN_Group" group, when in "VPN" zone, and coming from "remote SSL VPN Range" network

Source & Schedule
VPN

Source Networks and Devices : remote SSL VPN Range
During Scheduled Time : All the Time

Destination & Services
LAN

Destination Networks : Any
Services : Any

Identity

DL_VPN_Group, davidHarrison, username2, username3

 

On the VPN client laptop, a route print shows that the routes created by the VPN are correct.

 

Is there a step I'm missing?

 

Any pointers would be really appreciated, I'm new to Sophos Fw's and still finding my feet.

 

 

Many thanks

Dave



This thread was automatically locked due to age.
Parents
  • 0

    The packet caption is very useful to solve this type of problem.

    Go to it and configure to monitor the host that will receive or forward the ping (host x.x.x.x and icmp). Notice now in which rule the requisitions are fitting.

    Also guarantee in the firewall rule the return of the requests. (Source Zone: VPN and LAN, Source Network: Network Lan and VPN pool, Destination Network: Network Lan and VPN Pool.

    Also uncheck the match know users option.

     

    Kindly Regards.

  • 0 in reply to Bruno Ramos

    Thanks for the reply Bruno.

     

    I modified the FW rule to have..

        source: VPN and LAN, 

        source network: LAN subnet and vpn POOL, 

        Destination: LAN and VPN Pool.

        ( wouldn't this mean VPN clients could see each other also?)

     

    also unchecked the match known users option.

     

    then jumped over into the packet caption page and entered my VPN client IP in source, and I can see all the requests coming in from the client. 

    then moved the same IP into destination (outbound traffic) and there was nothing. 

     

    so I would appear that my traffic inbound is working, its just not getting back out!

    thou, If I've added both destination and source as described above, does this mean it should work?

    or do I need to add my own routing in for this?

     

    Thanks in advance

    Dave

     

  • 0 in reply to David Harrison1

    I think Bruno was referring to the packet capture feature rather than the log viewer.

     

    The packet capture can be found by going to Diagnostics on the left > Packet Capture > press Configure > enter 'Host *IP address* and ICMP' > Save > turn on the capture.

     

    Is it possible that the device you are trying to ping are not responding to ICMP?

  • 0 in reply to Sam Thompson

    Thanks for the reply Sam. 

     

    Yeah, that's what I was doing. I can see inbound requests for access to HTTP, RDP and ICMP. but nothing for outbound responses.

    I'm not just checking pings, I was trying to access servers, intranet pages and performing NMAP searches. 

     

    Thanks

    Dave

  • 0 in reply to David Harrison1

    Ah OK sorry I misunderstood.

    Do the inbound requests show a rule ID? If it shows as 0 it is being dropped.

    Are you a license customer?

  • 0 in reply to Sam Thompson

    Hi Sam, This is what I'm seeing when I filter the source IP (my laptop that's VPN'd in)

    Rule 6 is my vpn rule.

     

     

    when I set my destination IP to be my laptop, its just blank.

     

    thanks

    Dave

  • +1 in reply to David Harrison1

    Thanks Dave.

    Looks like the target device might not be responding.

    Can you open a case with support and send me the case ID? I can take a closer look for you.

  • 0 in reply to Sam Thompson

    Thanks Sam

     

    Case #7952826

     

     

    Best regards

    Dave

  • 0 in reply to David Harrison1

    Traffic was unable to route back to the XG firewall as my internal servers had a different default gateway. 

    By enabling masquerading (rewrite source address) within the firewall rule, this enabled the traffic to be able to route back to the XG.

     

    Thanks for all your help Sam.

Reply Children