Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3861 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site SSL VPN - Firewall rules

seanl

Hi,

I've created a site to site ssl vpn between 2 of our sites. The vpn is working fine. Additionally, each site has an SSL VPN for remote access users. The remote access users connect to the  primary vpn unless we have had a network failure, in which case we have failed services over to the other site, and then they simply use the secondary vpn for connection to the network. This all works fine. My primary issue here is that i want to limit what services can be accessed via the site to site vpn for both internal and remote access users. At the moment, there is an automatic firewall rule which has been created (when creating the site to site vpn) which allows "any" access. (see image below). I want to remove the rule and replace it with a number of additional rules granting specific access to servers and ports from the "Teraco SSL VPN". I know how to do this, but something in the image below was bothering me. I have never seen a rule where there is the phrase "Containing xxx" (See last line in image). I am assuming the address it has given is the sslvpn address assigned to the site to site connection. How would i recreate this part of the rule, and is it necessary?

 

Regards

Sean



This thread was automatically locked due to age.
  • +1

    Hi Sean,

    Is that your SSL VPN subnet that is showing in the Automatic rule. Simply create a FW-rule LAN>SERVICES>VPN and vice versa. Uncheck the automatic rule option in the IPSec policy and restart the tunnels.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    the address showing displaying as "Containing 10.242.2.89" is part of the group on the second line "Teraco_SSLVPN". It is the default sophos ip range for ssl vpns. I know that i need to disable the auto firewall rule. I have never seen a rule with this "Containing ...." line, and wanted to know why\how it is there. If i created a rule for "Teraco_ SSLVPN" - ANY - "Internal Main Network" would it be the same thing and if so, why is the auto rule displayed differently? 

  • 0 in reply to seanl

    Sean, if the Teraco SSL VPN Profile is meant only to allow access to that server, then add only it to the Profile - no fancy, confusing firewall rules needed.

    Note that SSL VPN Profiles are additive.  If you as a user are allowed access under the Teraco Profile and you also have access to your desktop in another Profile, your SSL VPN login will give you access to both devices.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to seanl

    Hi Sean,

    The Containing x.x.x.x is a user network definition which is resolved for a user host definition. On which side are you looking at this Fw-rule; Server or Client?

    I am not sure about why this shows up in the Auto FW-rule, we may find some idea from the configuration screenshots from both the ends.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi,

    Finally... someone answering the actual question.. (please excuse the rant)

    This is showing on the server side rule. The client side does not show it this way. It is just a little weird looking. We have been using these firewalls when they were still branded as "Astaro", and i've never seen a rule which had this "containing ...." section

    I have in the mean time disabled the auto creation rule, and created the rule manually (without the containing part) and everything seems to be working fine. 

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML