Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 605 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit access to SSL Service

andy.l
How can I easily limit VPN access to only certain external IP addresses?
Currently we only would like to be able to connect to the SSL VPN service from certain known IP addresses. If traffic is not coming from those known addresses we would like the firewall to block the traffic.

/Andy


This thread was automatically locked due to age.
Parents
  • 0
    The only way I know how to do this at present is with NAT rules.  This technique relies on what I call Rule #2:

    In general, a packet arriving at an interface is handled only by one of the following, in order:
    DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.


    Since the SSL VPN is faster using UDP rather than TCP Protocol, and you probably don't want to block all TCP 443 traffic to your UTM, start by changing the 'Settings' tab to UDP 2443, or something of the like.  Note that this is a general setting and also applies to site-to-site SSL VPNs.

    Now, make two NAT rules, respecting the order below:
    • No NAT : {Group of allowed addresses} -> {UDP 2443} -> External (Address)
    • DNAT : {Group of allowed addresses} -> {UDP 2443} -> External (Address) : to {unreachable IP}


    Did that do what you want?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    The only way I know how to do this at present is with NAT rules.  This technique relies on what I call Rule #2:

    In general, a packet arriving at an interface is handled only by one of the following, in order:
    DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.


    Since the SSL VPN is faster using UDP rather than TCP Protocol, and you probably don't want to block all TCP 443 traffic to your UTM, start by changing the 'Settings' tab to UDP 2443, or something of the like.  Note that this is a general setting and also applies to site-to-site SSL VPNs.

    Now, make two NAT rules, respecting the order below:
    • No NAT : {Group of allowed addresses} -> {UDP 2443} -> External (Address)
    • DNAT : {Group of allowed addresses} -> {UDP 2443} -> External (Address) : to {unreachable IP}


    Did that do what you want?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML