This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN not browsing, Remte Access VPN working

Hello team,

I have configured Sophos XG. It came online and I configured Remote Access VPN which is working fine over the internet. However, the LAN cannot access internet completely. Any suggestions would be highly appreciated. Thanks.

This thread was automatically locked due to age.

Parents

0 FormerMember over 3 years ago

Hi Gregory, Thanks for reaching out to Sophos Community.

Lan can't access properly? Did you mean the machines in your VPC can't access the internet or the remote access devices can't access internet after connecting to the Firewall via VPN?
Cancel
Vote Up 0 Vote Down

Cancel
0 Gregory Ogola over 3 years ago in reply to FormerMember

This is the topology, the FW sits behind a NAT device. So I have configured LAN 192.168.10.0/24 and WAN 192.168.5.0/24. The WAN Iface IP 192.168.5.1/24 is NATted at the VPC edge to a public IP.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to Gregory Ogola

Did you try to run a traceroute from the machine in the firewall's LAN and verified?

Also, you can ping 1.1.1.1 and take a GUI capture on the firewall to see how these packets are forwarded.

Just ensure that the NAT Rule (if v18 or above) is added with MASQ in source NAT for the Outgoing traffic.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FormerMember over 3 years ago in reply to Gregory Ogola

Did you try to run a traceroute from the machine in the firewall's LAN and verified?

Also, you can ping 1.1.1.1 and take a GUI capture on the firewall to see how these packets are forwarded.

Just ensure that the NAT Rule (if v18 or above) is added with MASQ in source NAT for the Outgoing traffic.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Gregory Ogola over 3 years ago in reply to FormerMember

ping test from Port1 - LAN

Ping from Port2 - WAN Port

Policy Test

Rules and NAT
Cancel
Vote Up 0 Vote Down

Cancel
0 Gregory Ogola over 3 years ago in reply to Gregory Ogola

Version
Cancel
Vote Up 0 Vote Down

Cancel
0 Brian Ritchie over 3 years ago in reply to Gregory Ogola

Gregory - Go ahead and delete that "Internet" Firewall Rule. Once deleted, recreate it, but this time set the Source to "Any Host" instead of "local subnet" and do not create a linked NAT. By default, the "DefaultSNAT IPv4" rule will be used. You can verify by looking in your log viewer.

You can see it is being used by the traffic going through it on your pic above.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gregory Ogola over 3 years ago in reply to Brian Ritchie

Done that, no linkedNAT, still not able to access net
Cancel
Vote Up 0 Vote Down

Cancel
0 Gregory Ogola over 3 years ago in reply to Gregory Ogola

Or is the fact that the firewall sits behind a NAT device something to address?
Cancel
Vote Up 0 Vote Down

Cancel
0 Brian Ritchie over 3 years ago in reply to Gregory Ogola

That should not be an issue (Double Natting). Can you:

1. Generate some traffic from a client machine that is behind the XG Firewall. Grab its ip address or MAC address.

2. In the logviewer in the XG - open it and set it to the "Firewall" log, then timer filter to 10 minutes.

3. Further filter by the IP or MAC address of the client you used - put a snapshot of that here. Does the client ip match the firewall and SNAT rule configured? If not, what firewall rule/NAT rule is it trying to use?

4. Also - can you put a pic of your network interfaces.

Thanks Gregory.
Cancel
Vote Up 0 Vote Down

Cancel