Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2689 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webadmin über SSL-VPN

JensR

Hallo,

 

ich bin am Verzweifeln. Ich bekomme nach dem Herstellen einer SSL-VPN Verbindung keinen Zugriff auf mein Webadmin der SG.

Eigendlich sollten ja die FW Einstellungen automatisch erfolgen. Kann es mit mit dem Web Protection oder WAF zusammen hängen. P.s. Auf alle anderen Geräte wie Switche, NAS, Router etc. komme ich nur nicht auf das Admin WebInterface der Sophos SG

Hier die Config was ich habe



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to JensR

    Please show a picture of the Edit of the SSL VPN Profile.  Also copy a block line from the full Firewall log file (not the Firewall Live Log as it presents abbreviated information in a format easier to read quickly - usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file).

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    Please show a picture of the Edit of the SSL VPN Profile.  Also copy a block line from the full Firewall log file (not the Firewall Live Log as it presents abbreviated information in a format easier to read quickly - usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file).

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     

    Hi Bob,

    here your requested details:

    FW Log Example:

    2019:05:05-19:42:59 utm ulogd[4823]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="tun0" srcip="192.168.198.2" dstip="192.168.197.90" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="45802" dstport="4444" tcpflags="SYN"
    2019:05:05-19:42:59 utm ulogd[4823]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="tun0" srcip="192.168.198.2" dstip="192.168.197.90" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="45801" dstport="4444" tcpflags="SYN"
    2019:05:05-19:42:59 utm ulogd[4823]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="tun0" srcip="192.168.198.2" dstip="192.168.197.90" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="45804" dstport="4444" tcpflags="SYN"

    Here the Screenshot from VPN Profile:

    Here the Network definitions:

  • 0 in reply to JensR

    In general, I recommend against using any subnet in 192.168.0.0/16 in the UTM as one will often run into public WiFi using a subnet in that range.  Subnets in 10.0.0.0/8 should only be used by the largest corporations.  For businesses and even for home setups, I recommend subnets in 172.16.0.0/12.

    "IP spoofing drop" tells me that your "VPN Pool (SSL)" overlaps with some "(Network)" object.  I usually recommend leaving the VPN Pool object with their original subnets.  In this case, I would have left it at 10.242.2.0/24.  Does the problem go away when you revert "VPN Pool (SSL)" to its original setting?

    MfG - Bob (Bitte auf Deutsch weiterhin.

  • +1 in reply to BAlfson

    Hi Bob, 

    there is NO overlapping in my Network config, see for this Screenshots below on my last replay post. For me is it not possible to use a IP Range out of 192.168.0.0/16 as AVM FritzBox only support this Range, I've use a second one behind the UTM for mashing in my home network. On the Fritzbox I have some routes to other Network Segments.

    I've change now Spoof-Protection from "Strickt" to "Normal" and now it works. But I think there is some other Bug where makes this not happen in "Strickt" Mode