Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 26 replies
  • Subscribers 1 subscriber
  • Views 16933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN inbound thru UTM to 2012 R2 server

justinhow
I am interested in allowing Windows clients to directly VPN or Direct Access to my 2012 R2 server which is on the internal network. Can anyone help me on how I would allow/direct this traffic inbound, rather than the tunnel terminate at the UTM. 
I am familiar with DNAT, firewall rules etc but am not sure if letting VPN through is slightly different than the usual HTTP port 80 type stuff as it can also terminate at the firewall.
Also any big pros and cons as to which is best (tunnel into UTM or internal Server).
Thanks


This thread was automatically locked due to age.
  • 0
    So, you confirm that you checked and there was nothing in the Intrusion Prevention log file and that the 'Anti-DoS/Flooding' and 'Anti-Portscan' tabs show everything disabled?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    What's your DNAT look like, are you using any custom ports/service definitions, and do you see any relevant blocks for this connection in the firewall log?
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Hi, Bob. 
    Yes, I confirm that there was nothing in the Intrusion Prevention log file and that the 'Anti-DoS/Flooding' and 'Anti-Portscan' tabs show everything disabled.

    Hi, Scott.
    I only have one NAT rule: 'DNAT : Any -> VPN Extended Protocols -> External (Address) : to {my internal 2012 R2 server}' 
    VPN Extended Protocols is a group I have created myself that includes GRE, and VPN Protocols (IPsec - AH, 
    IPsec - ESP, IPsec - IKE, IPsec - NAT-T, L2TP and PPTP).
  • 0
    DNAT seems fine then, from the description.

    and do you see any relevant blocks for this connection in the firewall log?
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Hi.

    This is funny. I see lots of entries like this couple in the live firewall log:
    NAT rule #1 TCP   :20269 → :443
    Default DROP TCP   :20269→:443

    And with TCP port 80 also.

    Do I need to create manual firewall rules to allow TCP 80 and 443 from ANY to the internal VPN Server? 

    I added the 'Web surfing' protocols group to the 'VPN Extended Protocols' because I saw dropped TCP 80 and 443 packets.

    Note: I will be OOF next week, so don't expect responses from me until August 10th.
  • 0
    I added the 'Web surfing' protocols group to the 'VPN Extended Protocols' because I saw dropped TCP 80 and 443 packets.

    You can make that work, but it will make it more difficult to participate in the "culture" of the UTM.  Better to make a separate NAT rule for 443/80 inbound and use automatic firewall rules for both DNATs.  In fact, that comment is on a different topic and so should have been posted in a new thread.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi, Bob. Thanks for your comments.
    However, L2TP/IPSec based VPN still not working.

    Regards
  • 0
    Please click on [Go Advanced] below and attach pictures of your DNATs.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Please, find attached the set of rules from my Sophos UTM.

    Thanks
  • 0
    Please, find attached the set of rules from my Sophos UTM.

    Thanks
Unfiltered HTML