Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 732 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN users cannot reach to particular port of third-party software.

Nikita Baranov

We have a server which has third-party software. it uses special port  "12***".

VPN SSL was configured on the Sophos XG firewall. and VPN users have ping to the server.

In firewall rules for services field was selected any services.

But we cannot reach to this port via VPN (Locally, the software lunching and working well).

Is there any configuration which could help to fix my configuration?

Any supports are appreciated.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Nikita Baranov,

    Thank you for reaching out to Sophos Community.

    Assuming server IP is already added under Permitted network resources of SSL VPN policy.

    Could you please take a packet capture by following the steps mentioned in the above comment?

    Also, check packet flow on port 12***.

    ==> Login to SSH > 4. Device Console

    console> tcpdump 'port 12***

    ==> In other SSH session, check drop-packet-capture

    console> drop-packet-capture 'port 12***

    eg: console> drop-packet-capture 'port 1234

  • 0 in reply to FormerMember

    Hi ,

    Thank you for your attention.

    It seems like request from VPN user to the Server goes through well. But i mentioned that Server responds to VPN user as well. And i suppose this package drops.

    Please have a look on it.

    Should i add some rule to permit respond package?

Reply Children
  • FormerMember
    0 FormerMember in reply to Nikita Baranov

    Hi 

    Communication seems ok. I can see packets are getting exchanged between 10.81.x.x and 10.11.x.x IP addresses. As it's UDP communication, It would be difficult to determine whether the server(10.11.x.x) responded to the request or rejected it.

    Did you notice continuous drops for this communication?

    Request to take the below observation as well.

    ==> Assuming VPN to LAN to rule is created without any linked NAT policy.

    ==> Create a NAT policy with source address as 10.81.x.x and destination as 10.11.x.x with SNAT as MASQ. == This will translate source address in the request packet with Sophos LAN interface IP address.

    ==> Try to access third-party software on a custom port and let me know your observation.

    ==> Check packet flow on the port as well.

    console> tcpdump 'port 12***