Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
1) I voted, and still wish for:
2) I setup a SNAT and also a DNAT rule on my "LocationA" sophos utm FW (9.5.x) to translate my vpn user to a static IP. Logging initial packets, i see this works, though the FW Log at "LocationA" never shows my static IP, only the VPN Pool IP when i access devices behind the FW....which ties into....
LocationA has a Site2Site with LocationB. LocationB explictly for testing only allows my Static IP access to the webadmin (not my VPN Pool IP), and it fails. the livelog at LocationB also only shows my VPN Pool IP (and its subsequent denial) when attempting to access WebAdmin (i see this through a separate connection/machine to webadmin at locationB)
What'd i miss?
Show us the Edits of your NAT rules and confirm that none of the Host/Network objects violates #3 in Rulz. Also of the IPsec Connection and Remote Gateway in LocationA. Is the static IP in the subnet of the "VPN Pool (SSL)" object?
Cheers - Bob
In reply to BAlfson:
1) DNAT Rule:
2) SNAT Rule:
3) SSL Object:
4) The VPN Custom Pool, I lessened the pool range to NOT include my static IP above (to prevent conflicts from what you educated me on in another post) So the netmask for all VPN users is 220.127.116.11/26
5) The Site2SITE IPSEC VPN is passing 18.104.22.168/24 so as to include my Static IP
In reply to jaredscheringer:
Thanks, Jared - I know you described that, but I'm a visual-tactile and I would have had to create a diagram to understand what I see now.
I do this a little differently. I would put an Additional Address [Jared] on the Internal interface and make the following NAT rules:
SNAT : jscheringer (User Network) -> Any -> Any : from Internal [Jared] (Address)DNAT : Any -> Any -> Internal [Jared] (Address) : to jscheringer (User Network)
This SNATs traffic from your remote session into the IPsec tunnel if the destination is in 'Remote Networks', so 'Strict Routing' must not be selected in the IPsec Connection.
Any better luck with that approach?
Tried your suggestion and it didnt pan out as is, then reverted to what i had and tried to fool around a bit and turns out even with strict routing on (i like it) i could specify either my static IP or the whole VPN Pool itself across the IPSEC Site2Site and it would work
as long as
I Ticked the FRICKIN BOX in the SNAT rule that says "Rule Applies to IPSec packets"
so now i have it working my way, and your way just the same
so we turn the page and i ask you to educate me on any benefits of putting the static ip as an additional address on the internal vs just a network host object?
thanks as always for the help and education :)
My suggestion is simpler if no unencrypted traffic is needed, Jared. If you need to have encrypted and unencrypted traffic between two endpoints, then your solution is the only way.
Cheers - BobPS Thanks for reminding folks to check the 'Rule Applies to IPSec packets' box.