Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 8069 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to connect Cisco IPSec. Sophos is behind another router.

Justind'Entremont

So I'm trying to connect to Sophos VPN using Cisco IPSec from an iPhone. 

The Sophos box is behind another router, and thus the public IP of the WAN interface of the Sophos box is actually a private IP. This causes me 2 problems:

a.) When I download the ..mobileconfig from the user web portal, it has the WAN IP of the Sophos box hardcoded as the server address, and there's no option to change this on the iPhone, or in the Sophos admin interface.

b). The VPN works fine if I place the iPhone on the same LAN as the Sophos WAN interface. I've forwarded UDP ports 500 & 4500 to the Sophos box on the other router and manually edited the .mobileconfig file so that the VPN server is actually my external IP or DNS name (I've tried both), but I'm still unable to connect from the internet.

Any thoughts?



This thread was automatically locked due to age.
Parents
  • 0

    I'm facing a similar issue after my ISP decided to upgrade me to their latest gateway/router device.

    They used to have an option in the old router/gateway called IP Passthrough where I could pass the WAN connection straight to a single device (my Sophos SG appliance in that case). This allowed everything to work seamlessly (VPN, user ports etc) from the outside.

    Now with this new gateway/router, only "cascaded router" can be chosen so the Sophos SG appliance now gets a private IP assigned from that router and it is the "WAN" IP of the Sophos just like you describe. I was successful in still being able to have Sophos SG manage my 5 static WAN ip block however which is nice because I can forward traffic to devices behind Sophos. That is enabled because the ISP gateway/router allows for you to assign a static WAN IP block to the cascaded router. Unfortunately, I cannot assign one of those WAN addresses to the Sophos so therefore cannot access it, or any services like the VPN remotely. I think you and I have the same issue and was wondering if you made any progress? I'm going to have my network IT contractor come out and see what he can do

Reply
  • 0

    I'm facing a similar issue after my ISP decided to upgrade me to their latest gateway/router device.

    They used to have an option in the old router/gateway called IP Passthrough where I could pass the WAN connection straight to a single device (my Sophos SG appliance in that case). This allowed everything to work seamlessly (VPN, user ports etc) from the outside.

    Now with this new gateway/router, only "cascaded router" can be chosen so the Sophos SG appliance now gets a private IP assigned from that router and it is the "WAN" IP of the Sophos just like you describe. I was successful in still being able to have Sophos SG manage my 5 static WAN ip block however which is nice because I can forward traffic to devices behind Sophos. That is enabled because the ISP gateway/router allows for you to assign a static WAN IP block to the cascaded router. Unfortunately, I cannot assign one of those WAN addresses to the Sophos so therefore cannot access it, or any services like the VPN remotely. I think you and I have the same issue and was wondering if you made any progress? I'm going to have my network IT contractor come out and see what he can do

Children
No Data