Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 4702 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Via SSL VPN einem User interne IP-Adresse zuweisen

CKL

Hallo zusammen,

ich muss einem User, der sich per VPN einwählt, eine IP-Adresse aus unserem internen Netz zuweisen.
Habt ihr vielleicht ein paar Tipps, wie ich das am besten anstelle?

Besten Dank vorab!

 

Viele Grüße
Christian



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Christian,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    1. Configure a fixed Additional Address "Username" on the Internal interface
    2. 'SNAT : Username (User Address) -> Any -> Internal (Network) : from Internal [Username] (Address)'

    Note that "Username (User Address)" is populated with the IP assigned to the VPN client when Username logs in.  Is that what you were looking for?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    SSL VPN Client mit fester IP im lokalen LAN, der aus dem lokalen LAN für andere Clients erreichbar ist

    Servus Bob,

    ich bin auf der Suche einer Lösung für mein ganz ähnliches Problem immer wieder über Deine Posts gestolpert. Leider sind Deine Antworten aber nicht detailliert genug um sie für mich anzupassen....

    Ausgangslage:
    Sophos UMT 9
    Lokales LAN 192.168.0.0/24
    Externer Client ist über SSL VPN verbunden und bekommt eine IP aus dem VPN Pool (10.242.2.0/24)

    Problem: 
    Der externen Client muss aus dem lokalen LAN über eine fest IP erreichbar sein

    Lösungsansatz (aus Bob's Posts):

    1. Configure a fixed Additional Address "Username" on the Internal interface
    2. 'SNAT : Username (User Address) -> Any -> Internal (Network) : from Internal [Username] (Address)'

    Das habe ich versucht, aber nicht hinbekommen....

    Unter

    Interfaces & Routing > Interfaces > Additional Address

    habe ich ein neues Objekt angelegt mit 

    Name: OSB
    Interface: LAN
    IPv4 address: 192.168.0.247

     

    Unter 

    Network Protection > NAT > NAT > Add NAT Rule

    habe ich dann unterschiedliches erfolglos probiert um Bob's Vorschlag 'SNAT : Username (User Address) -> Any -> Internal (Network) : from Internal [Username] (Address)' umzusetzen. Was währen hier die "richtigen" Einstellungen?

    Group: ::No Group::
    Position: bottom
    Rule type: SNAT

    Matching condition
    For traffic from: [What goes here? Seems it could be "OSB (Adress)" or "OSB (User Network)", or ?]
    Using service: Any
    Going to: [What goes here? Seems it could be "LAN", or ?]

    Action
    Change the destination to: [What goes here?] 
    And the service to: [What goes here?]

    Automatic firewall rule: ticked active

     

    Aus Sicherheits- und und Performance gründen benötige ich leider SSL VPN. L2TP/IPsec ist wahrscheinlich zu langsam....

    Bin für jeden Input dankbar.

    Christian

     

     

  • 0 in reply to Christian Funk

    Servus Christian - herzlich willkommen hier in der Community !

    I see that you're comfortable with English, and that's easier for me to think in even if I can still read/hear German easily, so ...

    "Problem: 
    "Der externen Client muss aus dem lokalen LAN über eine fest IP erreichbar sein"

    I interpreted the intent of CKL was to have the SSL VPN client traffic appear to be coming from the LAN, so my answer above was for traffic initiated from the client, not for traffic originating on the LAN that needed to be sent to the client.  In your case, a Source NAT is not what you need.

    I assume that your SSL VPN Profile gives the user named OSB access to "LAN (Network)" and that you have the Additional Address in place as you wrote above.  You want a Destination NAT like:

    Rule type: DNAT

    Matching condition
    For traffic from: LAN (Network)
    Using service: Any
    Going to: LAN [OSB] (Address)

    Action
    Change the destination to: OSB (User Network)
    And the service to: (leave this blank - see #5 in Rulz)

    Automatic firewall rule: ticked active

    Users and devices on the LAN will now be able to reach OSB's SSL VPN client at 192.168.0.247.

    Hat's geholfen?

    MfG - Bob

  • 0 in reply to BAlfson

    Hi Bob,

    I'll stick to english, even if this is the german forum. Whoever understands your answers, will probably understand my question ;)

    Unfortunately your answer didn't resolve my problem, even if it brought me a long way to grasping what the UTM9 is actually doing. I've been reading up in the documentation and experimenting as well, but it's quite clear I'm still a novice. Any further input would be much appreciated.

    I'll recap the problem a little more verbose, so other can follow it.

    Goal:
    - My remote box connects via Remote Access VPN (preferably SSL VPN) to local LAN
    - Hosts in the local LAN need full access to my remote box by some IP (all ports, UDP and TCP)
    - This IP should ideally by fixed, or at least determinable after my remote box connects

    Setup:
    - WAN IP of remote box is dynamic and shared
    - My remote box is behind one or more NATs
    - Local LAN is 192.168.0.0/24
    - SSL VPN Pool is 10.242.2.0/24
    - Remote LAN is not in conflict with local LAN or pool

    Attempted solution in UTM9, according to Bob's post:
    - In "Definitions & Users > Users & Groupes > Users" I created a new User "OSB", with "Authentication Local", Password and X509 Certificate "OSB (X509 User Cert), no static remote access IP or other options
    - In "Interfaces & Routing > Interfaces Additional Adresses" I created a new object "OSB_IP", with "On interface: LAN", IPv4 address 192.168.0.246" "Netmask /24 (255.255.255.0)"
    [Note: I presume this needs to be active and will be "assigned" to the remote access user "OSB" when this user connects...]
    - In "Remote Access > SSL > Profiles" I created a new object "SSLVPNOSB", adding the "OSB" user under "Users and Groups" and "LAN (Network)" under "Local Networks" with "Automatic firewall rules" box ticked active
    - In "Network Protection > NAT > NAT" I created a new unnamed object with
    "Group: ::No groupe::"
    "Rule type: DNAT (destination)"
    Matching condition
    "For traffic from: LAN (Network)"
    "Using service: Any"
    "Going to LAN [OSB_IP] (Address)" [Note: the "OSB (Address)", as suggested in Bob's post, is not available here. This may well be my problem, however I'm at a loss what else could go here. OSB doesn't have an address before it connects, correct?]
    "And the Service to:" (left blank)
    Action
    "Change the destination to: OSB (User Network)"
    "Automatic firewall rules" box ticked active

    All should be well now, right? However...

    Results:
    - Remote Access with SSL VPN works fine, my box can see and access all hosts on local LAN
    - The box gets an IP from the pool, e.g. 10.242.2.2 .3 etc.
    - After allowing ICPM on and through gateways and from external networks, I can ping the pool IP from hosts in the local network and even from another boxes connected via SSL VPN to the same pool
    - Other access from local LAN or between the boxes connected via SSL VPN is not possible
    - The "Additional Address" can be pinged only if it is set active manually under "Interfaces & Routing > Interfaces Additional Asdresses", but my remote box is not other wise accessible
    - Information in Live Log seems fine, except I can't find any indication that the "Additional Address" is assigned/connected to the remote box in any way

    Other Ideas:
    - If possible I would have no problem with ALL boxes connected via SSL VPN to be accessible from hosts on the local LAN. I tried adding a Firewall rule to allow this, but I seem to need something more... 

  • 0 in reply to Christian Funk

    Excellent post, Christian.

    - In "Interfaces & Routing > Interfaces Additional Adresses" I created a new object "OSB_IP", with "On interface: LAN", IPv4 address 192.168.0.246" "Netmask /24 (255.255.255.0)"

    A /24 Additional Address can cause routing problems.  I recommend /32 for all Additional Addresses.

    [Note: I presume this needs to be active and will be "assigned" to the remote access user "OSB" when this user connects...]

    This is what the DNAT accomplishes, so it must be enabled.

    OSB doesn't have an address before it connects, correct?

    Correct.

    - Other access from local LAN or between the boxes connected via SSL VPN is not possible

    What does this mean?  What do you learn from doing #1 in Rulz?

    Read #2 in Rulz to learn about regulating pinging.

    Cheers - Bob

Reply
  • 0 in reply to Christian Funk

    Excellent post, Christian.

    - In "Interfaces & Routing > Interfaces Additional Adresses" I created a new object "OSB_IP", with "On interface: LAN", IPv4 address 192.168.0.246" "Netmask /24 (255.255.255.0)"

    A /24 Additional Address can cause routing problems.  I recommend /32 for all Additional Addresses.

    [Note: I presume this needs to be active and will be "assigned" to the remote access user "OSB" when this user connects...]

    This is what the DNAT accomplishes, so it must be enabled.

    OSB doesn't have an address before it connects, correct?

    Correct.

    - Other access from local LAN or between the boxes connected via SSL VPN is not possible

    What does this mean?  What do you learn from doing #1 in Rulz?

    Read #2 in Rulz to learn about regulating pinging.

    Cheers - Bob

Children
No Data