Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 10734 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using DNS server in AWS VPC over VPN

mrburrito
I'm running UTM 9 locally and I've successfully connected three Amazon VPCs to my local network. I'm using Route53 for private DNS on the internal network and I wanted to configure the DNS resolver on the UTM box to use a proxy service I have configured in one of my VPCs. While I can successfully use my proxy from any machine on my local network, it doesn't appear to be accessible from the UTM machine (can't ping, can't resolve, requests just timeout, etc.). How can I fix this?

What I've done so far:
- Configured a Bind server in AWS (192.168.32.5) that forwards requests to Amazon's DNS server (192.168.32.2) since Route53 private zones are only accessible within a VPC.
- Created a VPN connection from my AWS Cloud to the UTM machine (192.168.20.100)
- Configured a static DNS route for mydomain.local that points to 192.168.32.5
- Configured Google's nameservers as the forwarding name servers for the UTM box
- Configured DHCP to provide the UTM server as the nameserver for all clients on the local network

How do I configure the UTM box so it can see the AWS instances over the VPN?


This thread was automatically locked due to age.
Parents
  • 0

    The Sophos will use the 169.254 address as the source ip address when it is trying to communicate over a VPN tunnel to your VPC. You need to change the source IP address used by the Sophos and stop it using a 169.254 address as the source.

     

    Create a new source NAT rule for each VPC tunnel IP address. Set up the NAT rule as follows:

    Source: 169.254.x.x (your VPC tunnel ip address on your Sophos)

    Service: Any (or DNS, or ICMP, whatever you need)

    Destination: Your VPC subnet CIDR block (e.g. 192.168.1.0/24)

    Source IP address changes to: put your Internal LAN ip address in here (just the host address, create a network definition if you don't have one)

    Make sure you have put your internal network into the Amazon VPC networks section of the VPC configuration on the Sophos so AWS can route to the Sophos to get to your internal lan address on your Sophos. 

    And finally, ensure your firewall rules AND your AWS ACL's and security groups aren't blocking the above source/destination/protocols

Reply
  • 0

    The Sophos will use the 169.254 address as the source ip address when it is trying to communicate over a VPN tunnel to your VPC. You need to change the source IP address used by the Sophos and stop it using a 169.254 address as the source.

     

    Create a new source NAT rule for each VPC tunnel IP address. Set up the NAT rule as follows:

    Source: 169.254.x.x (your VPC tunnel ip address on your Sophos)

    Service: Any (or DNS, or ICMP, whatever you need)

    Destination: Your VPC subnet CIDR block (e.g. 192.168.1.0/24)

    Source IP address changes to: put your Internal LAN ip address in here (just the host address, create a network definition if you don't have one)

    Make sure you have put your internal network into the Amazon VPC networks section of the VPC configuration on the Sophos so AWS can route to the Sophos to get to your internal lan address on your Sophos. 

    And finally, ensure your firewall rules AND your AWS ACL's and security groups aren't blocking the above source/destination/protocols

Children
No Data
Unfiltered HTML