Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 5301 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN as Default Gateway & routing

dan becker

SSL VPN for Remote Access is configured as "use as default gateway" forcing all remote traffic through the XG.

Remote users are able to access LAN resources, that's working.

We have an application server behind the XG on the LAN that cannot be accessed when remote users are connected to VPN. Let's call that server FQDN example.com

I push our internal DNS server to VPN users so that local domain names can be resolved. While connected to VPN, nslookup reports our internal DNS is resolving example.com to the XG public IP. This would be the same nslookup if the user was not connected to VPN and using google DNS.

But, when VPN is connected, the example.com page never loads. The example.com request goes to the XG because its setup as default gateway. But then it never hits the VPN to WAN rule. I'm guessing because the WAN destination is the same public IP as the WAN Port of the XG?

The request doesnt hit the WAN to LAN DNAT rule either.

We have a DNS Host Override for example.com to its LAN IP with reverse DNS checked.

How is this handled?

If we used the XG LAN IP as primary DNS in the VPN config, then remote VPN users would likely hit the DNS Host Override, but then not be able to resolve local domain names.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Dan,

    Thank you for contacting the Sophos Community!

    Just to clarify, if the device in on the LAN of the XG, then it shouldn't be hitting the VPN to WAN, or you want users to access to this LAN service via 

    Computer >> SSL VPN >>  WAN >> Hairping >> LAN?

    Does accessing by IP (Private IP of the server) works? 

    Regards,

  • 0 in reply to emmosophos

    Access to the application server from remote VPN by private IP works. The problem above more of a DNS issue. 

    I just changed Primary DNS of VPN Settings to XG private IP and now I'm getting a correct resolve on VPN machine, which is the private LAN IP of app server from the DNS Host override. Confirmed that example.com page now works when connected to VPN.

    But, we have other app servers on DMZ (example.com was on LAN). How would remote VPN users access these DMZ machines?if they get the DMZ private IP from DNS then I have to create a VPN to DMZ allow rule.

    Can I force VPN users to access these DMZ servers through the WAN to DMZ DNAT rule? 

Reply
  • 0 in reply to emmosophos

    Access to the application server from remote VPN by private IP works. The problem above more of a DNS issue. 

    I just changed Primary DNS of VPN Settings to XG private IP and now I'm getting a correct resolve on VPN machine, which is the private LAN IP of app server from the DNS Host override. Confirmed that example.com page now works when connected to VPN.

    But, we have other app servers on DMZ (example.com was on LAN). How would remote VPN users access these DMZ machines?if they get the DMZ private IP from DNS then I have to create a VPN to DMZ allow rule.

    Can I force VPN users to access these DMZ servers through the WAN to DMZ DNAT rule? 

Children