Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 8026 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Simple PPTP VPN solution became an nightmare .... I need an extra pair of eyes to tell me what's wrong

GastonLopez

So I have a little group within our office, they have a LAN (LAN B), DHCP server and Internet access by UTM 9.404-5

LAN B = 10.10.15.0 - 255.255.0.0

I also have a larger LAN (LAN A) which is separated from LAN B via a Cisco switch and ACLs

LAN A = 10.10.10.0 - 255.0.0.0

I have a server (10.10.10.43))  in LAN A and I needed to grant access only to this server to LAN B, which I did by a port ACL in the switch.

Everything works fine, I can ping only the server 10.10.10.43 from LAN B, and of course this server is available to LAN A as well.

Now I need to allow some of these workers who are part of LAN B to have VPN.

I setup a SSL VPN first but I had problems with WIndows 10 users so I decided to use the simple "PPTP"

I configured and it with the following info

192.168.100.0 - 255.255.255.0

users, firewall rule and masquerading rules are enabled.

I can connect with no problem to the PPTP VPN

 

I can access to the internet, I can ping the UTM 10.10.15.1 and even www.google,com

But I can't ping the local servers in LAN B  for example 10.10.15.50 , but I can do it with no problem on any machine connected to the LAN B.

Now considering that LAN B and ip that I am getting from the VPN are not on the same network  (192.168.100.0)

Do I need to create routing rules? please advise

Thanks

Gaston



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Gaston, and welcome to the UTM Community!

    You're right that you have a routing problem, but it takes a bit of guessing and reading between the lines of your description, so the following may not fit.

    If I understand your topology, LAN B is a subnet inside LAN A and LAN B is separated from the rest of LAN A by the UTM.  It's not clear, but I guess that there is no WAN connection directly to the UTM, and that the "External" interface of the UTM instead connects to the Cisco.  Unless you want to add a route in the Cisco for the 192.168.100.0/24 subnet behind the "External (Address)" of the UTM, you will need the SNAT recommended by Sachin or a masq rule like 'Author -> External' along with a firewall rule allowing 'Author -> Any -> Server'.

    Cheers - Bob

    PS (EDIT to answer your question just posted) SNAT for traffic coming from "Author" using service "Any" going to Server (10.10.10.43) ; change the source to "External (Address)" - assuming that the name of the interface connected to the Cisco is "External."

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, thanks for your answer.

    To try to clarify and make things easier, let's focus on the LAN B alone.

    I have a UTM 9, the WAN connects to my ISP and the LAN connects to a switch

    The LAN is 10.10.15.0 / 255.255.0.0

    I have LAN users that connect via ethernet and get ips from the UTM DHCP

    I have a local server in the same lan with ip 10.10.15.50

    Local users can connect

    I setup a PPTP VPN, I am using the default connection pool, I have configured the Firewall Rules and the Masq rule and I can connect from internet, I can ping the UTM 10.10.15.1 , I can browse the internet but I can't ping nor connect to the server 10.10.15.50

    Once I have that sorted out, I think I can take care of the other server.

    Thanks

    Gaston

Reply
  • 0 in reply to BAlfson

    Bob, thanks for your answer.

    To try to clarify and make things easier, let's focus on the LAN B alone.

    I have a UTM 9, the WAN connects to my ISP and the LAN connects to a switch

    The LAN is 10.10.15.0 / 255.255.0.0

    I have LAN users that connect via ethernet and get ips from the UTM DHCP

    I have a local server in the same lan with ip 10.10.15.50

    Local users can connect

    I setup a PPTP VPN, I am using the default connection pool, I have configured the Firewall Rules and the Masq rule and I can connect from internet, I can ping the UTM 10.10.15.1 , I can browse the internet but I can't ping nor connect to the server 10.10.15.50

    Once I have that sorted out, I think I can take care of the other server.

    Thanks

    Gaston

Children
  • 0 in reply to GastonLopez

    I think Sachin and I got it right.  Please let us know if neither of us pointed you to a resolution of the issue.  If your issue persists, please show a network diagram with IPs and subnets.

    Cheers - Bob

    PS I will move this thread to the VPN & Remote Access forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Guys thanks for all your replies , I tried with SNAT but can couldn't make it work so I just went with the external DHCP route provided by my Cisco switch  on the PPTP VPN in the 10.10.15.0 range and that worked. Not elegant but it works.

    I need to investigate more the internal / access / routing with SSL and PPTP VPN.

    Thanks again

    Gaston

Unfiltered HTML