Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 53493 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access Network resources when in VPN

Amine BOURI

Hello Guys,

 

Please Help me i'm really out of ideas, i'm new on sophos..and the job mus be done as soon as possible....here is my situation: we have two sites in my company linked with fibre ( LAN), we have a cisco firewall on site B and an XG430 on site A, site B has its internet from site A as this one is much faster, so all traffic is redirected to xg firewall whatever the traffic, on site A side we have an mpls ( verizon) which links us to an other country..when in lan i can access site B and the other country, and internet, no problem, but when in vpn or in site B i can't access the other country servers but i can access internet, and sites resources i will try to give you as much inofrmations i can to be able to understand, i have static routes on xg which redirect traffic going to the other country on to the gateway of the mpls.

 

 

 

 

                                                                                                                                                                                                                               

                                                                                                                                                                                                                                                                                                                                                                                                                                         

FYI : We have a firewall in site A because we want to build a vpn site2site if the LAN link goes down

 

Thank you in advance



This thread was automatically locked due to age.
  • 0

    Hi Amine, 

    You may need to conduct series of test to confirm the issue . 

    Test. 

    from the Site B system are you able to ping XG Port A3 , command on console to confirm if XG have received the packets: console > tcpdump 'host <Remote IP e.g. 192.168.99.2> and icmp
    If the IP is pingable and you have received the packets on XG via TCPdump check the next Hop i.e. 172.16.253.53 . Check the same if XG received such packet. If not check ASA routing table and if so check if the packet is forwarded to the destination or not. If Not check the Route table and ARP table . If so check the next hop. 

    Make Sure you have rules VPN<=> DMZ, VPN<=>LAN, DMZ<=>DMZ (Be careful if NAT is needed or not  ) . In the firewall rules mention ANY ANY to test the connection then you may be more specific on Network definition. If you are testing Via LAN  make sure you have rules LAN<=> DMZ, LAN<=>LAN, DMZ<=>DMZ

    Asymmetric Route does not work while using VPN, So make sure that the network used for the Asymmetric route is not used. However its applicable for LAN/DMZ/WAN. 

    Post the results for each test 

  • 0

    I finally resolved my problem, it was a nat problem on Cisco Firewall, but i still can't reach the remote site when in VPN

  • 0 in reply to Amine BOURI

    Good to hear that.

    When you are in vpn? On asa I guess. Make sure to include the network segment you receive from your asa inside XG firewall rules and static route too.

    Use drop-packet-capture while you are in vpn.

    Regards

  • 0 in reply to lferrara

    Hello Luc,

     

    I'm in VPN on XG firewall, and i'm trying to reach the remote country, i already can reach site B, do you have any ideas ?

     

    Thank you

  • 0 in reply to Amine BOURI

    Amine,

    Inside the allowed resources of SSL profile, put even the remote site and make sure a firewall rule exists that allows the traffic.

    Regards

  • 0 in reply to lferrara

    Luc,

    The resources on VPN configuration are : Network Site A, Network Site B, i have added the networks of remote country (5), i even added the interface PortA4, but still can't reach the remote servers.

    I applied the rule with and without NAT

    Regards

  • 0 in reply to Amine BOURI

    Problem Solved, i have created a new nat rule for the firewall rule VPN -> Remote Site ( resources ), i put the fw IP 172.22.64.1. so all traffic going to remote site will have the IP of firewall which makes me think that the remote site accept traffic only from Site B or A networks...to be confirmed, Thank you very much for your help.