Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 2 subscribers
  • Views 15461 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to create a VPN between local computers with different network subnets?

ShlomiSherman

Hello,

I have a rather interesting problem...

I have in my environment a computer with static IP (192.168.1.9/24), and an ESXi which hosts a sophos as a VM.

I also have a win 8.1 as a VM (inside the ESXi host of course), and it has an IP of 192.168.2.15/24,

I can give that VM 2 legs (for connecting to the internet and the local resources), one internal (which sits behind the Sophos) and one external (which connect directly to the Internet).

For security reasons, i don't want to connect that VM to the external leg, but connect the VM via VPN to the 192.168.1.0/24 network (for the resources).

my problem starts here:

i used PPTP (i tried SSL and IPSec, not working for my setup), and i managed to connect the VPN... but i keep getting this address:

192.168.1.2/36, leave the fact that my ESXi has the 192.168.1.2/24 IP address...

I am at a lost, i tried combing through the internet, with no luck.

please, i do need you assistance



This thread was automatically locked due to age.
Parents
  • 0

    Why not use a Site-to-Site tunnel instead of Remote Access?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    thank you for you comment, but,

    how can the site-to-site solution help me?

    i am afraid i am not too familiar with site to site with only one sophos

  • 0 in reply to ShlomiSherman

    The "Remote Computer" should be able to access the "Resources" with just a firewall rule in the UTM.  Have you tried that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    [:|] how can i do that? [:|]

    P.S.

    I am a little bit of a noob when it comes to firewalls (and Sophos) [:$]

  • 0 in reply to ShlomiSherman

    Please show a picture of the Interfaces on the 'Interfaces' tab in 'Interfaces & Routing'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Here you go:

    the interface tab

    External Settings:

    Internal Settings:

  • 0 in reply to ShlomiSherman

    I don't see 192.168.1.1 on your network diagram - is that the IP on ESXi instead of 192.168.1.2?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    192.168.1.1 is the IP of my modem/router, the IP that the ESXi has is 192.168.1.2,

    the IP of my WAN port of the sophos is 192.168.1.3 (it's D.G. is the router),

    the IP of my LAN port of the sophos is 192.168.2.1

  • 0 in reply to ShlomiSherman

    There are two ways to allow the 192.168.2.0/24 network to access devices on 192.168.1.0/24:

    1. Make a masquerading rule 'Internal (Network) -> External'.
    2. In the "Modem & Router" device, add a gateway route '192.168.2.0/24 via 192.168.1.3'

    I assume that you have a Firewall rule already in place like 'Internal (Network) -> Any -> Any : Allow'.  If not, show a picture of the Firewall tab so we can see which rules you have.  I also assume that the default gateway for all of the devices in 192.168.1.0/24 is 192.168.1.1.

    My preference is the second solution since it does not require double-NAT for traffic 'Internal (Network) -> Internet'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Well, you are correct in your assumption that i had made the Internal->External Rule, but only to give internet access to my VM computers.

    Unfortunately, my modem/router is a dumb device (and i have no room for an external router, believe me, i wish i had)

    i only wish to have a single computer that will have access to the resource, without giving all the VM's access, i did not include it, but i have 3 more VM machines that I do not want them to have access to my own network (192.168.1.0/24).

  • 0 in reply to ShlomiSherman

    OK, an unusual approach might be just the ticket...

    For all of the devices on the .1. network, set their default gateway to the .1.3 IP of the UTM and then leave the UTM as the only device with a default gateway pointing at your router-modem. Then the .2. network should have a firewall rule allowing traffic to the Internet, not to All.  Make another firewall rule that allows traffic from the remote computer to the resources.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I managed to create the firewall rule and get the connection :)

    thank you very much Bob :)

Reply Children
No Data
Unfiltered HTML