Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 16356 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need to masquerade for SSL VPN

FrancWest
Hi,

the only way I can get SSL VPN working is by masqerading the VPN SSL Pool to the internal network. If I don't enable this the SSL VPN connects fine, but no traffic is being routed to the internal network (which is specified on local networks tab in the SSL VPN config). Any idea why I must do this? IS it because I've to NIC on the internal side of the ASL (one to the DMZ and one to the internal network)?

Franc.


This thread was automatically locked due to age.
  • 0 in reply to FrancWest
    What settings do you have on the 'ICMP' tab of 'Network Security >> Packet Filter'?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Allow ICMP on firewall : checked
    Allow ICMP through firewall: checked
    Log ICMP redirects: unchecked

    Firewall is ping visible: checked
    ping from firewall: checked
    firewall forwards pings: checked

    Firewall is traceroute visible: checked
    Traceroute from firewall: checked
    Firewall forwards traceroute: checked

    Franc.
  • 0 in reply to FrancWest
    This just doesn't make sense.  I know you told us what's on the 'Global' tab of SSL, but the only thing I can think of is to ask again for a picture of that.  It sounds like everything is right.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    I know, I don't get it either ;-) When I start a ping -t  I get a reply, when I disbale the MASQ rule I immediately receive request time out...

    See attachments.

    Franc.
  • 0 in reply to FrancWest
    Franc, do you have any other NAT or Masq settings which could be interfering?
    Any policy routes?

    Barry
  • 0 in reply to BarryG
    Hi Bob,

    no I don't. The only MASQ rules I've set are from the host in the DMZ to External, Firewall on Internal network to External and VPN Pool (ssl) -> Internal

    No packet filter rules regarding the SSL VPN

    Franc.
  • 0 in reply to FrancWest
    Very strange.  What about your SNAT and DNAT rules?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    I've sent the screenshots of my DNAT/SNAT rules to you by private message if you don't mind.

    Edit: hmmm, it seems I'm not able to send attachments using private messages.

    Franc.
  • 0 in reply to FrancWest
    Yes, received the email.  Everyone, I can't see anything in his 11 DNATs that would hi-jack ping traffic - or anything else for that matter.

    I don't understand.  It seems like it's not getting the routing.  At this point the only thing I can think of is to completely uninstall the SSL client, then re-install from the User Portal.  Something didn't "take" the first time.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    thanks. But is there some explanation that everything works fine when I enable the masquerading rule? When everything is OK once the MASQ rule is active then it couldn't be the client, could it ?

    Franc.
Cookie Information Banner