SSL VPN: Access to SSL Client side

Marcel,

did you follow this kb?

https://community.sophos.com/kb/en-us/122769

You only need VPN to LAN and not vice-versa.

Regards

Yes, i folllowed exactly this kb. As i said. Access from Client LAN to local LAN (XG side) is possible. But i need also access from local LAN to Client LAN.

Both sides. I liked to show you that the ping is working from client side to XG LAN side, but not from XG LAN side to client side.

Here is the tcpdump result:

console> console> tcpdump 'host 192.168.75.223'
% Error: Unknown Parameter 'console>'
console> tcpdump: Starting Packet Dump
% Error: Unknown Parameter 'tcpdump:'
request, id 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:23.222963'
equest, i d 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:23.223015'
request, id 1, seq 211, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:23.223304'
request, id 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:28.079108'
equest, i d 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:28.079120'
request, id 1, seq 212, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:28.079410'
request, id 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:33.079425'
equest, i d 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:33.079441'
request, id 1, seq 213, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:33.079738'
request, id 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:38.079755'
equest, i d 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:38.079765'
request, id 1, seq 214, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:38.080040'

Hi Marcel Ruch 

When you log in to console, you will get the prompt as console>, you do not have to type it, 

Please refer to the article-  https://community.sophos.com/kb/en-us/123567

Sorry for that.

console> tcpdump 'host 192.168.75.223'
tcpdump: Starting Packet Dump
08:53:25.266391 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:25.266441 br0, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:25.266559 Port2, OUT: IP 46.14.83.102 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:30.134462 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 216, length 40

Hi Marcel Ruch 

Please share the output of the below command

console> system route precedence show

Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes

I found something similar at https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/53884/ssl-vpn-client-to-client-communication

But I don't know exactly how to set the nat rule.

Hi Marcel Ruch 

Do you have added any Policy Routing in the XG configuration?

Please verify from Routing >> Static Routing and Policy Routing

We need to check by setting VPN precedence on top

Please execute the command

console> system route_precedence set vpn

Please verify and let me know

There ist no policy or static route defined.

Here is the result of system route_precedence set vpn

console> system route_precedence set vpn
vpn VPN routes

Still no access to client side.

Hi Marcel Ruch 

Based on the data you provided, I see you are using a bridge interface.  Is this correct?  Are you actually trying to bridge 2 networks together or are you just plugging in the ports assigned in the bridge?  I would recommend you remove the bridge interface and setup the LAN interface on the correct port.  Please note that doing this will remove the IP from the bridge interface, so you will need another IP on the XG to connect to.

On another note, have you disabled windows firewall on the ssl vpn client side?  Windows firewall always blocks pings out of the box.  Also to note that if you are not using a full tunnel and the user on the other end has the same IP range on their LAN network as your LAN network, then this will cause problems.

Try changing to a full tunnel on the XG SSL VPN and disabling windows firewall completely to see if it helps.  I also recommend having a rule VPN-LAN and LAN-VPN without routing or MASQ applied.  You can also try pinging the end system from the XG.  If there is no response to the XG, then the problem lies on the end client device.

Thanks!

Hi Marcel Ruch 

Based on the data you provided, I see you are using a bridge interface.  Is this correct?  Are you actually trying to bridge 2 networks together or are you just plugging in the ports assigned in the bridge?  I would recommend you remove the bridge interface and setup the LAN interface on the correct port.  Please note that doing this will remove the IP from the bridge interface, so you will need another IP on the XG to connect to.

On another note, have you disabled windows firewall on the ssl vpn client side?  Windows firewall always blocks pings out of the box.  Also to note that if you are not using a full tunnel and the user on the other end has the same IP range on their LAN network as your LAN network, then this will cause problems.

Try changing to a full tunnel on the XG SSL VPN and disabling windows firewall completely to see if it helps.  I also recommend having a rule VPN-LAN and LAN-VPN without routing or MASQ applied.  You can also try pinging the end system from the XG.  If there is no response to the XG, then the problem lies on the end client device.

Thanks!