Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 1326 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot get SSL Remote access working properly

admin888

I have a very basic setup: Some of our employees use VPN to access our network from outside. For this I've setup SSL VPN as follows:

I have added our domain controller (under Authentication Services > Servers) and added an OU from active directory that is allowed to use VPN (no problem here, I just sync'd the OU again and it fetched new users):

I have then created a remote access profile with the OU as users and our internal network as local network:

Here are the SSL VPN settings, nothing here should be a problem though since I can connect and get an IP from the SSL VPN Pool:

Here's the automatically created firewall rule from the remote access profile:

I've added a Masquerading rule as well but that shouldn't be necessary to access local resources:

Now my problem: I can connect just fine and get assigned a correct IP address but I cannot access anything. Tried http, rdp, icmp, etc with local resources. I'm completely isolated from the network.

The only way I can make this work and access my network is by adding an SNAT rule that translates the SSL VPN traffic source to the internal IP address of my UTM. Notice how I'm using the SSL VPN IP pool and not the user group network (it didn't work with that):



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    looks Ok.

    The SG is the def. gateway/only gateway for devices you try to reach? Are there other routes at the devices?

    Check destination devices routing table ... sometimes old routers (mostly with proxyarp enabled) inject incorrect gateways.

    Try to ping / traceroute a device connected via SSL-VPN from LAN-device. (post result if possible)

    BTW: If you masquerade to "external" the traffic going leaving SG through "internal"-network isn't masqueraded.

    I would use from "ssl-vpn-pool" interface "internal".

    ... but only if really necessary ... 

    Seems your devices don't use a route back to ip range "ssl-vpn-pool". So double-check possible routes from device view.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • +1 in reply to dirkkotte

    Nevermind. Tested some more, suddenly it wasn't working even with the SNAT rule. Restarted my testing workstation and it works as expected without the SNAT rule...

    Update on this: I continued to have problems until I switched my router to bridge mode and let the UTM do PPPoE so clients directly hit the UTM from WAN. No problems since.

Reply
  • +1 in reply to dirkkotte

    Nevermind. Tested some more, suddenly it wasn't working even with the SNAT rule. Restarted my testing workstation and it works as expected without the SNAT rule...

    Update on this: I continued to have problems until I switched my router to bridge mode and let the UTM do PPPoE so clients directly hit the UTM from WAN. No problems since.

Children
No Data
Unfiltered HTML