Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 9133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN cannot access internal network other than LAN?

ITMgr

I have a XG 210 firewall appliance.

I have a SSL VPN (Remote Access) policy for connecting to my internal Office LAN, and it works great. From the SSL VPN client, I can ping devices on my internal Office LAN, get to network shares, and run applications that connect to internal databases. I can do anything I need to do.

I just built another physically separate Voice LAN for an IP phone system. My phone vendor wants to be able to remote-in to the PBX to do configurations and such.

I setup a DHCP server for the Voice LAN, and devices get the Voice zone IP address for a default gateway.

I created another SSL VPN (Remote Access) policy, and duplicated the setup from my Office-side policy. I created a local user for vendor guy, and permitted it to access the Voice network. I created a "SSL VPN to Voice" firewall rule, from VPN zone/SSL VPN address pool to Voice zone/Voice Network, and "match known users" with the vendor user account added.

Under Administration|Device Access, I made sure to check the Ping/Ping6 and SSL VPN checkboxes for my Voice zone.

From home, I can download the Windows SSL VPN Client and configuration from the User Portal, and login successfully, but that's it. I cannot ping anything on the internal Voice network.

On the firewall, under Diagnostic|Tools, I can ping anything on the Voice network, so I know it can get there.

When I do a Packet Capture, I can see ICMP coming from the SSL VPN client pool IP to the Voice network IP address, but under the Status column it says "Violation" and under Reason it says "SSL_VPN". The ICMP packets never leave the firewall, they just die right there.

I have spent 3 DAYS putzing with the configuration, downloading new SSL VPN configs, trying to figure out what this damn thing wants, and nothing has worked. Packet Capture always says Violation/SSL_VPN. What does this mean?

Meanwhile, the Office-side SSL VPN, which has a virtually identical setup, works just fine.

I'm at the end of my rope. I'm hoping there's someone on this forum that can tell me where I'm going wrong with this.

Please help. Thanks.



This thread was automatically locked due to age.
  • 0

    " devices get the Voice zone IP address for a default gateway."   

     

    I'm assuming this means that you have your voice subnet  directly cabled to the Sophos XG to a physical nic so the XG is doing the routing between networks?  

     

    I'm also assuming you have the voice subnet definition in the "Permited network resources" box of the SSL  Tunnel access section as well?

    -Scott

     

     

     

     

     

     

  • 0 in reply to Scott_D_L

    Thank you sir!

    Yes, the Voice network is physically connected to one of the firewall ports, and the XG is doing the routing.

    Yes, the Voice subnet is in the "permitted network resources" for the SSL Tunnel.

  • 0

    I ended up opening a support case with Sophos technical support.

    The tech figured out that a Zone object and a Network object were not added to its internal database properly.  Even though everything looked fine through the admin interface, behind-the-scenes, in the database, the objects were corrupt.

    Through the troubleshooting steps, he deleted and recreated all the necessary objects, with different names, for the SSL VPN policy I wanted to create, and I was amazed when it worked just like it was supposed to afterwards.

    So... when you're going about your usual business of creating various objects for creating a firewall rule or policy, and it doesn't work at first, do not be alarmed, one or more of your objects were just created improperly behind-the-scenes, and are corrupt.  Of course, there's no way for you to know which ones are corrupt, you simply need to delete and re-create all the objects involved until you finally get the result you're looking for.

    I am brand-new to Sophos products, and I have to say that I am so happy and satisfied with my purchase.  I am going to sleep well at night knowing that this firewall appliance is doing its job for me.