Hello,
I am having difficulty in blocking internal IPs from accessing services on another internal IP. The rule seems to have no affect whatsoever.
I have a UTM 9 with remote access (SSL VPN) setup in such a way that users logging in get static IPs mapped to them via the documented SNAT<-->DNAT rules for doing so; it SNATs the user network to a static IP, and a DNAT rule to replace the static IP with the user's network IP. This is working fine, and 192.168.1.x IPs via SSL VPN are mapped correctly to 10.100.1.x IPs. I am able to connect to hosts within the network from these IPs.
However, when I add a rule in the firewall to block all access from the "virtual static IPs" 10.100.1.2 - 10.100.1.5, for ALL services, to host 10.100.100.2, they have no affect at all. I tried both DROP and REJECT to no avail. I have tried removing the range and trying just one IP with no affect either. I don't know what I'm doing wrong. I am new to Sophos UTM, but these rules seem self-explanatory.
The rule is added at the bottom of the firewall list - AFTER the SNAT<-->DNAT rules are performed - although for efforts sake, I attempted to block the assigned SSL VPN IP from accessing the host and it too had no affect. I tried adding it to the top of the list as well and it did not work either.
What am I doing wrong here? Why am I unable to block hosts internally from communicating? I split these "virtual static IPs" into groups so that I could filter access from the VPN to internal hosts the users are permitted to contact and none else. However I am unable to implement this policy because the firewall does not seem to be working as it should.
Any help please?
Thank you!
Brian J
This thread was automatically locked due to age.
