Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 2759 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to ping Local Network on SSL VPN - Packet Capture show Violation Firewall

Ben Sanderson

Fresh Install of Sophos 3300 - The Sophos is the gateway to the local networks.

Once connected to VPN I am able to ping all of the Gateway IP addresses on the Firewall, but unable to ping the devices on the network.

I am able to ping the devices from the Firewall - I have followed all of the instructions and also have gone through the Discussions with no luck. Just about tried everything.

In the Packet Capture it is showing Violation Firewall from the Source VPN device when I ping from it and when I ping from the inside device to the VPN'd PC get the same message.

All the rules are set ...

VPN to LAN

LAN to VPN

Even setup some Any to Any rules to see if I could catch traffic in the Firewall Log, do not see anything there.

Thanks for your help in advance...



This thread was automatically locked due to age.
  • 0

    Hello Ben,

    Thank you for contacting the Sophos Community.

    Make sure you have enabled Ping for VPN under Device Access.

    Also double-check if you have any Local ACL created to drop VPN traffic.

    Also, make sure the range of the SSL VPN is not overlapping with your internal subnet.

    If the issue persists please take a screenshot of the Packet Capture made on the GUI.

    Regards,

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Did you allow ping on the VPN zone? Go to Administration and device access to find out. 

    Also, please share the screenshot of the SSL VPN profile and specifically allowed networks? Did you add an interface or create a network object for your internal network? 

    Thanks,

  • 0 in reply to FormerMember

    Thanks for replying..

    Attached are the screenshots of the settings.

    The rule for LAN to VPN right now is IP any any, just to get it to work, once working will start to harden.

    Thanks in advance.

  • FormerMember
    0 FormerMember in reply to Ben Sanderson

    Hi ,

    Thank you for providing the screenshots. 

    Why there’s a SNAT rule for the SSL VPN? You wouldn't need it, and I'd suggest you remove it for testing. 

    Also, create a network definition for the SSL VPN instead of the network range for the VPN to LAN firewall rule. 

    Thanks,

  • 0 in reply to FormerMember

    Thanks Harsh,

    I removed the SNAT, but still did not work. Getting the same errors in the packet capture.

    I have Network Definitions applied to the VPN to LAN. 

    Here are the updated Screenshots...

  • FormerMember
    0 FormerMember in reply to Ben Sanderson

    Hi ,

    I've reached out to you via personal message. If you could provide the support access id from your firewall. I can double-check the configuration and update you with the next step. 

    Thanks,

  • 0 in reply to FormerMember

    Harsh,

    Any luck in figuring out my problem? Should it make a difference that I am using VLANs, in the sense it is a Router/Firewall on a stick.

    Thanks,

  • 0 in reply to Ben Sanderson

    Harsh,

    I have made a few changes to the test network - now the Gateway sits on the Cisco Switch and configured the Firewall for the new gateway and created a static route for the network.

    The packet capture has changed to Forwarding - No Gateway - UNREPLIED

    Still unable to ping anything on the inside network. The plan for this deployment is to use the Sophos as network device for all of the Gateways of the Network. Currently all of the VLANs (except the test network) are configured on the Sophos and I am able to ping the devices from the Sophos.

    Thanks,

    Ben

  • FormerMember
    0 FormerMember in reply to Ben Sanderson

    Hi ,

    Thank you for the update.

    You'd have to configure the static route for the networks(VLANs) not owned by the firewall. Now, if you see the packet capture action "Forwarding" with correct VPN to LAN firewall rule and there's no reply from the destination, that indicates either an Anti-Virus on the workstation blocking ping or internal routing issue. Please check if there's a Window Defender blocking ping from the SSL VPN network.

    Thanks,

  • 0 in reply to FormerMember

    Harsh,

    There is no firewall on the device, it is a LAN Controller, configured for the same Gateway. Is a debug or log that I can view to check the route?

    I also am unable to ping the gateway of that network which is on the Cisco Switch. - There is a static route for that.

    Thanks,

    Ben