Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 19872 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic VPN question

BAlfson
In https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/53527, mrainey posed a question about doing:

[home client] -> (SSL Remote Access) -> [ASG220] -> (IPsec Site-to-Site) -> [ASG120] -> [Terminal Server]


He was unable to accomplish this without:
  • adding the 'VPN Pool (SSL)' to 'Local networks' for the 'IPsec Connection' on the ASG220
  • creating a network definition on the 120 (SSL Pool on the 220) and adding it to 'Remote networks' for the 'Remote gateway' in the 120.

This makes it appear like he needs to alllow the internal network of the 120 to access the 'VPN Pool (SSL)' on the 220.   Is that an idiosyncracy of Terminal Server, or is there a flaw in my understanding?*

Thanks - Bob
*OK, OK, I know there are lots of flaws. [:D]


This thread was automatically locked due to age.
Parents
  • 0
    But that's not how I understand it.  As I understand it:

    Site A

    Remote Gateway: [Public IP of Site B]
    Remote Networks: Astaro will create Gateway routes and packet filters to these at Site B
    Local Networks: Astaro will allow Site B access to these



    Site B

    Remote Gateway: [Public IP Site A]
    Remote Networks: Astaro will create Gateway routes and packet filters to these at Site A
    Local Networks: Astaro will allow Site A access to these


    If I'm connected to Site A via Remote Access, I should be able to reach, via the site-to-site, an IP inside Site B.  If someone inside site B tries to reach me, they won't be able to because Site A doesn't offer the VPN Pool to Site B.

    Or, does this have something to do with Strict Routing?

    Thanks - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Dilandau is correct; this is how things have to be done so the Astaro VPN(s) know where to route the traffic.  Sort of like using static routes on a cisco routing infrastructure with 3 routers connected by 2 links (sort of in a chain, 2 T1s in the center one)... one has to add routes to define the "far" side WAN IP in order for routing to work end to end... it looks wierd, but it's necessary.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to BAlfson
    Dilandau is correct; this is how things have to be done so the Astaro VPN(s) know where to route the traffic.  Sort of like using static routes on a cisco routing infrastructure with 3 routers connected by 2 links (sort of in a chain, 2 T1s in the center one)... one has to add routes to define the "far" side WAN IP in order for routing to work end to end... it looks wierd, but it's necessary.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Unfiltered HTML