Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 16349 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need to masquerade for SSL VPN

FrancWest
Hi,

the only way I can get SSL VPN working is by masqerading the VPN SSL Pool to the internal network. If I don't enable this the SSL VPN connects fine, but no traffic is being routed to the internal network (which is specified on local networks tab in the SSL VPN config). Any idea why I must do this? IS it because I've to NIC on the internal side of the ASL (one to the DMZ and one to the internal network)?

Franc.


This thread was automatically locked due to age.
Parents
  • 0
    Please show a pic of your 'Remote Access >> SSL' 'Global' tab.  Also of the related packet filter rules if you aren't using 'Automatic packet filter rules'.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    On the global tab the following is specified:

    users and groups:

    only one account, my account

    local networks:

    internal network (network)

    Automatic packet filter rules is checked.

    Franc.
  • 0 in reply to FrancWest
    Are you sure the 'VPN Pool (SSL)' is disjoint from the 'Internal (Network)' subnet?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hmmm, now I look at it, could this be the problem:

    internal network is set to: 10.1.0.0/16

    VPN Pool (SSL) is set to: 10.242.2.0/24
  • 0 in reply to FrancWest
    Yes. The Pool must be a separate network.
    You can change the Pool in Definitions - Networks.

    Barry
  • 0 in reply to BarryG
    Barry, aren't those already disjoint?  That shouldn't be a problem for him, should it?

    Thanks - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi,

    coorect me if I'm wrong but when looking at the subnet masks aren't they already separate networks?

    When searching the forum, I read that more people need to setup a masq rule in order to get things going. Wondering if this is standard practice.

    Franc.
  • 0 in reply to BAlfson
    Oops, Bob you're right.

    Barry
  • 0 in reply to FrancWest
    Franc, you'd need Masq if you want VPN to access the internet.
    But for VPN - LAN, it doesn't matter.
    Check your packetfilter log and see if you see any drops from the VPN.
    Also check the ICMP settings under PacketFilter-ICMP, and then try Ping and/or Traceroute from VPN to LAN.

    Barry
  • 0 in reply to BarryG
    Hi,

    disabling the MASQ rule has the following effect:

    Pinging 10.1.2.81 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 10.1.2.81:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    tracert 10.1.2.81

    Tracing route to 10.1.2.81 over a maximum of 30 hops

      1    13 ms    14 ms    12 ms  10.242.2.1
      2     *        *        *     Request timed out.


    Packetfilter doesn't show any dropped packets.

    Franc.
  • 0 in reply to FrancWest
    What settings do you have on the 'ICMP' tab of 'Network Security >> Packet Filter'?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Allow ICMP on firewall : checked
    Allow ICMP through firewall: checked
    Log ICMP redirects: unchecked

    Firewall is ping visible: checked
    ping from firewall: checked
    firewall forwards pings: checked

    Firewall is traceroute visible: checked
    Traceroute from firewall: checked
    Firewall forwards traceroute: checked

    Franc.
Reply
  • 0 in reply to BAlfson
    Allow ICMP on firewall : checked
    Allow ICMP through firewall: checked
    Log ICMP redirects: unchecked

    Firewall is ping visible: checked
    ping from firewall: checked
    firewall forwards pings: checked

    Firewall is traceroute visible: checked
    Traceroute from firewall: checked
    Firewall forwards traceroute: checked

    Franc.
Children
Cookie Information Banner