SSL RemoteAccess Static IP Question (i know of the feature request)

1) I voted, and still wish for: 

RemoteAccess: Static IP for SSL-VPN

https://ideas.sophos.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/178371-remoteaccess-static-ip-for-ssl-vpn?ref=title

2) I setup a SNAT and also a DNAT rule on my "LocationA" sophos utm FW (9.5.x) to translate my vpn user to a static IP. Logging initial packets, i see this works, though the FW Log at "LocationA" never shows my static IP, only the VPN Pool IP when i access devices behind the FW....which ties into....

LocationA has a Site2Site with LocationB. LocationB explictly for testing only allows my Static IP access to the webadmin (not my VPN Pool IP), and it fails. the livelog at LocationB also only shows my VPN Pool IP (and its subsequent denial) when attempting to access WebAdmin (i see this through a separate connection/machine to webadmin at locationB)

What'd i miss?

  • Hey Jared,

    Show us the Edits of your NAT rules and confirm that none of the Host/Network objects violates #3 in Rulz.  Also of the IPsec Connection and Remote Gateway in LocationA.  Is the static IP in the subnet of the "VPN Pool (SSL)" object?

    Cheers - Bob

  • In reply to BAlfson:

    1) DNAT Rule:

    2) SNAT Rule:

    3) SSL Object:

    4) The VPN Custom Pool, I lessened the pool range to NOT include my static IP above (to prevent conflicts from what you educated me on in another post) So the netmask for all VPN users is 9.168.171.0/26

    5) The Site2SITE IPSEC VPN is passing 9.168.171.0/24 so as to include my Static IP

  • In reply to jaredscheringer:

    Thanks, Jared - I know you described that, but I'm a visual-tactile and I would have had to create a diagram to understand what I see now.

    I do this a little differently.  I would put an Additional Address [Jared] on the Internal interface and make the following NAT rules:

    SNAT : jscheringer (User Network) -> Any -> Any : from Internal [Jared] (Address)
    DNAT : Any -> Any -> Internal [Jared] (Address) : to jscheringer (User Network)

    This SNATs traffic from your remote session into the IPsec tunnel if the destination is in 'Remote Networks', so 'Strict Routing' must not be selected in the IPsec Connection.

    Any better luck with that approach?

    Cheers - Bob

  • In reply to BAlfson:

    Tried your suggestion and it didnt pan out as is, then reverted to what i had and tried to fool around a bit and turns out even with strict routing on (i like it) i could specify either my static IP or the whole VPN Pool itself across the IPSEC Site2Site and it would work

     

    as long as

     

    ...

    I Ticked the FRICKIN BOX in the SNAT rule that says "Rule Applies to IPSec packets"

     

    so now i have it working my way, and your way just the same

     

    so we turn the page and i ask you to educate me on any benefits of putting the static ip as an additional address on the internal vs just a network host object?

     

    thanks as always for the help and education :)

  • In reply to jaredscheringer:

    My suggestion is simpler if no unencrypted traffic is needed, Jared.  If you need to have encrypted and unencrypted traffic between two endpoints, then your solution is the only way.

    Cheers - Bob
    PS Thanks for reminding folks to check the 'Rule Applies to IPSec packets' box.