Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 18528 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to connect to a subnet behind a Remote Access SSL VPN client

JeroenP

Hi!

I created a Remote Access SSL VPN Profile, with a masquerade rule (VPN Pool (SSL) --> Internal). I'm using an Asus router on the remote site.
The Asus router has a builtin VPN client and it was pretty easy to configure. The Asus router connects without any problems and, thanks to the masquerade rule, the clients on the remote subnet (behind the Asus router) can connect with the clients on the internal subnet (behind the Sophos UTM) without any problems.

I would like to connect from an internal client to a host on the remote subnet (behind the Asus router). Because I use the default VPN Pool (SSL) the Asus router SSL VPN client is on IP-adres 10.242.2.2. I can connect to the Asus web interface (on 10.242.2.2) from a client on the internal subnet. I can't connect to a host on the 192.168.0.0/24 subnet.

Obviously the internal client is sending traffic for 192.168.0.0/24 to his gateway, the Sophos UTM. But when I use the support tools on the UTM and trace traffic from the UTM to 192.168.0.0/24, it sends that traffic to his gateway (the ISP router) :-(
How can I tell the UTM to send traffic for 192.168.0.0/24 to gateway 10.242.2.2 (the Asus router)
To be clear:

Internal subnet - SOPHOS UTM <------------------ ASUS Router builtin (OpenVPN client) - Subnet on remote site (192.168.0.0/24)

Regards!

Jeroen



This thread was automatically locked due to age.
Parents
  • 0

    Are you using site-2-site SSL connection between Asus and Sophos?

    Did you correctly configure Local and Remote Network(s)?

    And as of what Balfson said above, if both sites use the same internal IP-network (192.168.0.0/24) then you will need to either change the subnet on one of the sites or you will need to NAT between the subnets.

    See my attached picture for an example of the Local and Remote subnets (as viewed from the server which in my case is the Sophos UTM)

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Hi apijnappels,

    Thank you for your reply! I don't use a site-2-site SSL connection. I use a Remote Access SSL VPN client. The Asus Router is acting like a SSL VPN client with a builtin SSL VPN client.
    The ip-subnet an the internal site is 10.0.0.0/24 and the ip-subnet on the remote (client) site is 192.168.0.0/24

    Regards,

    Jeroen

  • 0 in reply to JeroenP

    Hoi Jeroen, I'm not sure if what you want is possible using just remote access VPN since all the UTM knows about is the remote access IP-address it assigns when connecting.

    You should try whenever possible to use a site-to-site solution when connecting routers to each other. Perhaps your ASUS can also support IPSEC site-2-site?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to JeroenP

    It's possible to jury-rig something, but like apijnappels says, the right answer is a site-to-site.

    1. Let's say you've created a Local User object "asus" and have given it permission to access your network.  This will have created an "asus (User Network)" object.
    2. Create a Static Gateway route: 192.168.0.0/24 via "asus (User Network)."

    When the Asus is logged in to the UTM, the "asus (User Network)" object will be populated.

    In the remote site, configure the Asus to masquerade traffic from 10.0.0.0/24 out its internal interface.  If that's not possible, each of the devices behind it will need a permanent route like

         > route ADD 10.0.0.0 MASK 255.255.255.0 192.168.0.1 METRIC 3 IF 0

    Please share the results of your test.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks again! I'm not allowed to drag-and-drop the "asus (user network)" into the gateway field/box. Only hosts and availability groups are allowed. (When I drag-and-drop the "asus(user network)" it will return to the list after I release it.)
    To make sure we are talking about the same interface, I attached a screenshot. (I'm using version 9.403-4)

    Regards,

    Jeroen

  • 0 in reply to JeroenP

    Yes, I see now that only Host and Availability Group definitions are accepted there.  Sooooo, let's play a trick!

    Define an Availability Group with, in order, 10.242.2.2, 10.242.2.6, 10.242.2.10 and 10.242.2.14 and use that as the Gateway for the Route.  You could try instead to just use the Host for 10.242.2.2 if the Asus is virtually-always connected.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to JeroenP

    Yes, I see now that only Host and Availability Group definitions are accepted there.  Sooooo, let's play a trick!

    Define an Availability Group with, in order, 10.242.2.2, 10.242.2.6, 10.242.2.10 and 10.242.2.14 and use that as the Gateway for the Route.  You could try instead to just use the Host for 10.242.2.2 if the Asus is virtually-always connected.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    This might work, but be aware that this rule will engage on possible other remote connection whenever it's connected and 10.242.2.2 is not).

    It might be possible to just add the Asus (User Network) to the availability list (I did not test this).

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Unfiltered HTML