Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 1048 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems connecting to internal app server from SSL and IPSEC VPN using Sophos connect

Sophos User406

I am using XG210 (SFOS 18.0.5 MR-5-Build586) and Sophos Connect 2.1.20.

SSL VPN and IPSEC VPN for Remote Access is configured as "use as default gateway" forcing all remote traffic through the XG.

Remote users are able to access LAN resources, that's working.

We have an application server behind the XG on the LAN that cannot be accessed when remote users are connected to VPN. Let's call that server FQDN example.com

I push our internal DNS server to VPN users so that local domain names can be resolved. While connected to VPN, nslookup reports our internal DNS is resolving example.com to the XG public IP. This would be the same nslookup if the user was not connected to VPN and using google DNS.

But, when VPN is connected, the example.com page never loads. The example.com request goes to the XG because its setup as default gateway. In log viewer I don’t see traffic from VPN client IP address to XG public IP.

I have a firewall rule from VPN to WAN and another from VPN to LAN.

I have a DNAT rule:

Original source: VPN_SUBNET

Original destination: XG PUBLIC IP

Original service: HTTP

SNAT: MASQ

DNAT: APPLICATION_SERVER_IP

Access to the application server from remote VPN by private IP works.

Any ideas?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Do you have a DNAT rule configure for your application server? If yes, try to add a VPN zone in the source zone and add it to the matching firewall rule for testing. 

    Since it’s a full tunnel configuration, I don't see any reason for traffic to your application server not to route through the Remote VPN. What IP address did you run the packet capture on? 

    Thanks,

  • 0 in reply to FormerMember

    Thanks for your reply.


    Yes, I have a DNAT rule for my application server with the VPN zone in the source zone and a firewall rule as well.
    I'm filtering by the IP of the computer on the VPN subnet, I have also tried by the public IP of the XG, the internal IP of the application server and the public IP of the connection used for the remote computer. 

    Thanks,

  • +1

    I have configured a DNS host entry in the XG Network > DNS menu and now I can access the web application server via the url (example.com).

    In case anyone is helpful, DNS host entry configuration:
    Host/domain name: url
    Address:
    Entry type: Manual
    IP Address: Private IP of the application server
    Publish to WAN: False
    Add reverse DNS lookup for this host entry: True
    All other options: Default


    Now if I do an nslookup it shows me the private IP of my application server, before this configuration the result was the public IP of my XG and I could not access the web.

    Thanks