Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 5762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static Route Issue: SSL Remote Acc VPN

garth1138
Running ASG 8.202 (ASG220 Appliance). Setup up first SSL Remote Access VPN using Astaro client software. 

Everything worked fine (could ping internal from remote and DNS resolved) with the following configuration:
Internal Interface Network is 10.241.0.0/23
SSL VPN IP Pool is 10.242.2.0/24
Interface Route set in Interfaces & Routing>Static Routing = SSL VPN -> Internal

When I changed the SSL VPN Pool to 10.241.100.0/24 so that the first two octets of SSL VPN matched Internal (have an application that checks firts two octets to determine user location of on- or off-site), then I lost connectivity: no pings to internal network. I had started/stopped VPN client & remade route multiple times as well.

Not understanding why the static route is not working with the second config. 10.241.0.0/23 and 10.241.100.0/24 are definitely two separate subnets.


This thread was automatically locked due to age.
  • 0
    Hi, Garth, and welcome to the User BB!

    Interface Route set in Interfaces & Routing>Static Routing = SSL VPN -> Internal

    That shouldn't be necessary.  What do you have in 'Local networks' in the SSL VPN definition?  Do you have 'Automatic firewall rules' selected?  When you changed the IP pool, did you change the value in the old definition, or did you create a new definition?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Bob,

    • I have the Internal Subnet (10.241.0.0/23) in the 'Local Networks' box of the SSL VPN definition
    • I edited the existing SSL VPN Pool and did not make a new one
    • The Automatic Packet Filter Rule box is ticked
  • 0
    Solved... 

    removed All static route information

    SSL VPN IP Pool set @ 10.242.2.0/24 still worked for access to Local Network

    Changed SSL VPN Pool to 10.241.100.0/24
    On Remote Access SSL, disabled and re-enabled
    also clicked 'Apply' on on Settings tab to Reapply VPN Pool

    was then able to access Local network with new IP Pool.

    So yes, Bob, Static route business was not necessary with "Automatic Firewall rules" box ticked. My bad. Thanks.
  • 0
    Hi, fwiw, static routes should almost never be needed between networks that are already local to the firewall (including VPNs configured on the firewall).

    Barry
  • 0
    Beyond that, static routes won't work to route traffic into a VPN (this may not be true beginning with V9.1).

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Beyond that, static routes won't work to route traffic into a VPN (this may not be true beginning with V9.1).

    Cheers - Bob


    Hi,

    Sorry for responding to a year old thread, but is it possible in 9.1 to do a static route through a site to site VPN?

    Thanks,

    Bruce
  • 0
    I'm fairly certain this hasn't changed, Bruce.  What traffic are you trying to get where?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML