Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 7059 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Management Access over IPSec VPN with Inside Interface

Stephen Wratten

I have two remote XG Firewalls, with identical configs, both firewalls are on dynamic IP internet connections which obviously keep changing. To get around this from a management point of view I want to connect to the inside interface of the firewall to manage them using the internal LAN gateway IP.

The first firewall I setup works, i can connect to https://172.16.x.x:4444, the second firewall wont let me in! 

However on the second firewall i can ping the inside interface, and even SSH into the management (port 22)  but https:4444 shows open port (with nmap scan) but no web browser can connect. 

I have added the device access rule (pictured below), which is identical to the other firewall. (172.20.0.0/12 + outside IP of head office firewall)

Again both firewalls have identical configs, and if your wondering yes i can connect to the inside interface from a computer on the local subnet, its only when i try and access from head office over the VPN and only effects :4444, not SSH or Ping.

Checking head office side firewall logs its not blocking the packets, it can see them going out, so its the Sophos not responding. 

what am i missing? 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    on both there is the same version SFOS ? Which software/OS are you using for VPN ?

    Could you try to ping with bigger packets size ? (ping -s ) 

    Why do you create a specific ACL rules in device access ? Can't you use the Lan/Wan/VPN by service access ?

  • 0 in reply to Fabien Martinet

    Hi,

    The reason i use the ACL rule is for the WAN side, this way its restricted so only my public IP from the "head office" side can access it and not the whole internet (this works fine). 

    Using large pings i seem to be able to ping up to around 55,000 bytes 

    I'm running the latest firmware on both, ran the updates on the existing firewall last week, and downloaded the latest for the 2nd firewall Friday (which is the one with the issue)

    its just a normal IPSec VPN  

     

    as you can see if i run an nmap on it, the ports are open, but it doesnt let me browse to 4444, however i can putty into 22

     

    as you can see here, SSH is straight in, but trying to browse to it (in any browser) I'm denied.. 

     

  • 0 in reply to Stephen Wratten

    Hi,

     

    could you dump on the XG this requests?

    Observed same issue with IPsec.

    Could fix it with reducing the MTU size of the IPsec tunnel.

     

    Cheers

  • 0 in reply to LuCar Toni

    not sure what you mean "dump on the xg this requests"

    The Sophos is sitting behind a ADSL router which is not in bridge mode, as its doing NAT and routing between ADSL and Ethernet its doing the MTU adjustements. 

    If i was to decrease the MTU on the Sophos the router its plugged into would still send at 1500 and break it. 

    I have to leave it in rout mode as it will be replaced soon with NBN (FTTC) and the Telstra modem needs to stay in route mode for the phone to work, otherwise i would just bridge it and drop the MTU as mentioned. 

     

    Cheers,

    SW

Reply
  • 0 in reply to LuCar Toni

    not sure what you mean "dump on the xg this requests"

    The Sophos is sitting behind a ADSL router which is not in bridge mode, as its doing NAT and routing between ADSL and Ethernet its doing the MTU adjustements. 

    If i was to decrease the MTU on the Sophos the router its plugged into would still send at 1500 and break it. 

    I have to leave it in rout mode as it will be replaced soon with NBN (FTTC) and the Telstra modem needs to stay in route mode for the phone to work, otherwise i would just bridge it and drop the MTU as mentioned. 

     

    Cheers,

    SW

Children
No Data