Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1180 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic routed over VPN stops at firewall

Wouter Van Casteren

Dear,

I want to configure our remote access SSL VPN so that when our users are working from home traffic for a specific ip address is send over the VPN so they connect to this ip address from our office's public ip address. The IT on the other side have whitelisted our office's public ip address.

The public ip address I'm talking about is 193.x.y.z. I've configured this address under Remote access -> SSL -> Profiles -> Our VPN profile -> Local networks. So when I start the VPN and do a traceroute I can see the first hop is the gateway of the VPN connection on there it stops.

So it looks like the traffic is stopped at the firewall.

When I do a traceroute from the Sophos Support -> Tools it shows the same hops as when I do a traceroute from my pc (without the VPN active).

Kind regards,

Wouter



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    If I understand correctly, you are trying to set up an SSL VPN so that when a remote user connects, they connect to the specific public IP address on your fireall? 

    In that case, you have to override the hostname under VPN > VPN settings > SSL VPN and override the hostname with the required public IP address on your firewall.

    Note: Once you make this change, all the SSL VPN users need a new configuration file. 

    Thanks,

  • 0 in reply to FormerMember

    Hello Harsh,

    No sorry, I don't think I was clear enough in my description. What I want to configure is that when one of my colleagues works from home and turns on their VPN, the traffic to the ip address 193.x.y.z is send over the VPN to our firewall and then forwarded from our firewall to the 193.x.y.z address.

    I want to do this because the administrators at the other side have whitelisted the public ip address of our office on their firewall. Our offices are closed at the moment so it would be nice if we can fix this so they don't have to come to the office to connect to this address.

    Kind regards,

    Wouter

  • FormerMember
    0 FormerMember in reply to Wouter Van Casteren

    Hi ,

    Thank you for the explanation. 

    If I understand this correctly, You want your remote users to access this IP 193.x.y.z through the XG firewall as your firewall's IP address is whitelisted on the other side. 

    In that case, you would need this IP address in the allowed network in SSL VPN Policy, and you have done that already. Now you can see the traffic from the SSL VPN user to the 193.x.y.z IP on the firewall, but it is getting blocked? I think you are missing the firewall rule VPN to WAN. I would suggest you create a VPN to WAN firewall rule for testing and check if that resolves your issue. 

    Thanks,

  • 0 in reply to FormerMember

    Hello,

    Sorry for the late reply. I tested this by adding a rule allowing all trafic from the VPN ip pool but no succes. I also noticed that there is an automatic firewall rule created by the VPN allowing traffic from for example my network to the local networks defined in the SSL profile.

    When I created the firewall rule I also enabled the logging but I didn't see any traffic allowed or blocked to the public ip address I was talking about.

    Kind regards,

    Wouter

  • FormerMember
    0 FormerMember in reply to Wouter Van Casteren

    Hi ,

    Can you try to traceroute from the remote workstation to the public IP address you want to send traffic to through the VPN? 

    Thanks,

Reply Children
  • 0 in reply to FormerMember

    Hello,

    Below is the trace to the public ip address when I'm inside our network:

    ---------------------------------------------------------------

    Tracing route to mar01-ohsim-prod.*.com [193.x.y.z]
    over a maximum of 30 hops:

      1     4 ms     2 ms     2 ms  10.128.51.254
      2    10 ms     5 ms    32 ms  10.252.130.45
      3     6 ms     3 ms     3 ms  p0.bru4.network.destiny.be [94.140.161.3]
      4     5 ms     6 ms     6 ms  pe7.bru1.network.destiny.be [94.140.161.71]
      5     3 ms     5 ms     3 ms  10.252.20.198
      6     4 ms     4 ms     5 ms  ip-78-110-192-155.reverse.destiny.be [78.110.192.155]
      7     5 ms     4 ms     4 ms  p1.bru4.network.destiny.be [94.140.161.70]
      8     4 ms     4 ms     5 ms  p1.bru1.network.destiny.be [94.140.161.234]
      9     4 ms     6 ms     5 ms  be1.cr0.bru1.destiny.be [85.158.208.253]
     10     6 ms     9 ms     5 ms  xe-11-0-0-37.cr1-bru2.ip4.gtt.net [77.67.75.97]
     11    15 ms    15 ms    14 ms  ae22.cr2-fra6.ip4.gtt.net [213.200.117.138]
     12    17 ms    16 ms    17 ms  154.14.72.179
     13    17 ms    16 ms    16 ms  62.4.69.103.de.mfnx.net [62.4.69.103]
     14     *        *        *     Request timed out.
     15     *        *        *     Request timed out.
     16     *        *        *     Request timed out.
     17     *        *        *     Request timed out.

    ---------------------------------------------------------------

    Traceroute when I'm at home with my VPN active:

    ------------------------------------------


    Tracing route to mar01-ohsim-prod.*.com [193.x.y.z]
    over a maximum of 30 hops:

      1    16 ms    18 ms    16 ms  10.246.2.1
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.

    ------------------------------------------------------------

    10.246.2.1 is the gateway of our VPN.