Can't access Network resources when in VPN

Question

Hello Guys, 
 
 Please Help me i'm really out of ideas, i'm new on sophos..and the job mus be done as soon as possible....here is my situation: we have two sites in my company linked with fibre ( LAN), we have a cisco firewall on site B and an XG430 on site A, site B has its internet from site A as this one is much faster, so all traffic is redirected to xg firewall whatever the traffic, on site A side we have an mpls ( verizon) which links us to an other country..when in lan i can access site B and the other country, and internet, no problem, but when in vpn or in site B i can't access the other country servers but i can access internet, and sites resources i will try to give you as much inofrmations i can to be able to understand, i have static routes on xg which redirect traffic going to the other country on to the gateway of the mpls.

FYI : We have a firewall in site A because we want to build a vpn site2site if the LAN link goes down 
 
 Thank you in advance

Amine BOURI · Accepted Answer

Problem Solved, i have created a new nat rule for the firewall rule VPN -> Remote Site ( resources ), i put the fw IP 172.22.64.1. so all traffic going to remote site will have the IP of firewall which makes me think that the remote site accept traffic only from Site B or A networks...to be confirmed, Thank you very much for your help.

lferrara · Answer

Amine, 
 thanks for the Network Map. I guess the first static routing points to 192.168.99.2 
 from the remote network (Site B), issue a traceroute command to 172.16.253.53.x and see the output. 
 Also make sure the firewall rule from site B to 172.16.253.53.x includes even site B. 
 Last, check drop-packet-capture to see if traffic is denied. 
 Check asymmetric routing article and apply it accordingly. 
 Regards

Aditya Patel · Answer

Hi Amine, You may need to conduct series of test to confirm the issue . Test. from the Site B system are you able to ping XG Port A3 , command on console to confirm if XG have received the packets: console > tcpdump 'host and icmp If the IP is pingable and you have received the packets on XG via TCPdump check the next Hop i.e. 172.16.253.53 . Check the same if XG received such packet. If not check ASA routing table and if so check if the packet is forwarded to the destination or not. If Not check the Route table and ARP table . If so check the next hop. Make Sure you have rules VPN<=> DMZ, VPN<=>LAN, DMZ<=>DMZ (Be careful if NAT is needed or not ) . In the firewall rules mention ANY ANY to test the connection then you may be more specific on Network definition. If you are testing Via LAN make sure you have rules LAN<=> DMZ, LAN<=>LAN, DMZ<=>DMZ Asymmetric Route does not work while using VPN, So make sure that the network used for the Asymmetric route is not used. However its applicable for LAN/DMZ/WAN. Post the results for each test

lferrara · Answer

Amine, 
 Inside the allowed resources of SSL profile, put even the remote site and make sure a firewall rule exists that allows the traffic. 
 Regards