SSL VPN full tunnel unable to route internally

Hello Dango,

Thank you for contacting the Sophos Community.

Make sure you have a VPN to LAN rule, additionally make sure the computer's Firewalls are disabled. 

I would also recommend you to do a tcpdump on the Advanced Shell of the XG to confirm where the ping is going.

E.G 

#tcpdump -eni Port1 host 192.168.100.10 and host 10.80.80.100

In this example, Port1 is where the Local Computer connects to and has the IP 192.168.100.10 and 10.80.80.100 is the computer with the SSL VPN client installed

Regards,

Thanks for the reply and Happy Newyear.

The local devices have no firewall and can be accessed internally without any issue.

This is the tcpdump command I used: tcpdump 'host 10.0.5.2 and net 10.0.9.0' where 5.2 is the VPN device and 9.0 is the destination subnet for testing. Testing with ping shows to packets captured.

a short network sketch would be helpful.

10.0.9.0 is a firewall-subnet?

Not sure what you mean by firewall-subnet.

It's a single firewall on a stick topology.

I can ping from devices on 10.0.9.x subnet to the device on SSL VPN and able to see the packets, but not another way around.

Tested with both TCP and UDP settings.

You configure dial-in ssl-vpn - correct? (or S2S?)

Can you show us the route table after VPN is connected?

Can you post a traceroute from SSL-VPN-connected Client to a central resource?

Can you post a traceroute from SSL-VPN-connected Client to  8.8.8.8 ?

Yes. Remote Access, not S2S.

C:\Users\Administrator>route print
===========================================================================
Interface List
20...7c b2 7d 03 1b d3 ......Microsoft Wi-Fi Direct Virtual Adapter #3
11...7e b2 7d 03 1b d2 ......Microsoft Wi-Fi Direct Virtual Adapter #4
14...00 ff 03 f7 1e 2a ......Sophos SSL VPN Adapter
23...7c b2 7d 03 1b d2 ......Intel(R) Wireless-AC 9560 160MHz
3...7c b2 7d 03 1b d6 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.89.147 192.168.89.155 50
0.0.0.0 128.0.0.0 10.0.5.1 10.0.5.3 291
10.0.5.0 255.255.255.0 On-link 10.0.5.3 291
10.0.5.3 255.255.255.255 On-link 10.0.5.3 291
10.0.5.255 255.255.255.255 On-link 10.0.5.3 291
99.66.227.41 255.255.255.255 10.0.0.1 192.168.89.155 306
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.0.5.1 10.0.5.3 291
172.16.16.17 255.255.255.255 192.168.89.147 192.168.89.155 306
192.168.89.0 255.255.255.0 On-link 192.168.89.155 306
192.168.89.155 255.255.255.255 On-link 192.168.89.155 306
192.168.89.255 255.255.255.255 On-link 192.168.89.155 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.89.155 306
224.0.0.0 240.0.0.0 On-link 10.0.5.3 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.89.155 306
255.255.255.255 255.255.255.255 On-link 10.0.5.3 291
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
23 306 fe80::/64 On-link
14 291 fe80::/64 On-link
23 306 fe80::61c9:a236:4995:5e20/128
On-link
14 291 fe80::ecf5:229b:3ad7:dbf9/128
On-link
1 331 ff00::/8 On-link
23 306 ff00::/8 On-link
14 291 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

C:\Users\Administrator>tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 7 ms 6 ms 8 ms 10.0.5.1
2 24 ms 6 ms 8 ms 192.168.1.254
3 58 ms 63 ms 12 ms 108-206-148-1.lightspeed.irvnca.sbcglobal.net [108.206.148.1]
4 63 ms 343 ms 9 ms 75.29.48.104
5 23 ms 13 ms 14 ms 12.242.115.21
6 29 ms 17 ms 15 ms 12.255.10.176
7 30 ms 12 ms 11 ms 108.170.247.225
8 33 ms 12 ms 10 ms 142.250.226.109
9 34 ms 11 ms 15 ms dns.google [8.8.8.8]

Trace complete.

C:\Users\Administrator>tracert 10.0.9.6

Tracing route to 10.0.9.6 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.

Hi,

192.168.1.254 is an IP of your central XG-Firewall (or the ISP Router in front of the XG)?

Can you show us the Firewall rule allowing SSL-Client to internal network?

PS: The last rule // default drop rule don't log blocked packets.  I would "clone above"  these rule and enable logging.

192.168.1.254 is the ATT Modem. It's in passthrough mode but going out will always show this hope instead of the gateway.

Here is the rule. No IPS.  All other rules have log enabled.

Any help?

Any help?