"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
We'd love to hear about it! Click here to go to the product suggestion community
I've been bashing my head against this issue for a few days and finally need to ask for some help. I have a network created in AWS which uses a Sophos UTM for all connections into the VPC. I'm not using the AWS VPN Tunnel for VPC.
The Sophos is connected to our SonicWall in the HQ using a Site-To-Site IPSec tunnel and all connections are up on both sides. Traffic is flowing no problem. The issue occurs when i try to send RADUIS authentication traffic from the HQ to the VPC in AWS through Sophos. I cannot see any traffic on the sophos side.
I created a SNAT rule on the sophos. The Firewall Logs show the traffic hit the Firewall. But still no traffic hitting the Server through Sophos.
Note: If i connect the AWS tunnel to my firewall in the HQ the radius traffic works... its only when going through the Sophos.
Hi, Mike, and welcome to the UTM Community!
I can't "see" your topology behind the UTM. I assume that the UTM is at the edge of your VPC, or??? In any case, I can't imagine that your SNAT works - what had you intended to do with it?
Cheers - Bob
In reply to BAlfson:
Yes thats correct it is at the edge. All traffic is being pushed to the Sophos appliance. The SNAT doesn't seem to work no... this is what i found on the forums here to try and fix the problem. That didnt fix the issue so im seeking for additional help on the problem :). I was trying to make sure that RADIUS traffic actually made it to the radius server over the IPSec tunnel.
In reply to Mike Siconolfi:
I'm fairly certain you just want to delete the SNAT rule, but show us a line from from the full Firewall log file corresponding to one in your opening post. Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.
Instead of totally hiding IPs, just obfuscate them enough to stay safe but in a way that lets us understand what we're seeing. 10.x.y.31 instead of 10.10.10.31. 192.168.x.31, 96.x.y.102, etc.
Thanks for the quick reply. I was able to pull a line from the full logs corresponding to the unit sending access requests to the Radius:
2017:03:20-12:12:47 montreal ulogd: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" outitf="eth1" mark="0x318d" app="397" srcmac="02:aa:29:b2:74:cf" srcip="10.x.x.59" dstip="10.y.y.245" proto="17" length="344" tos="0x00" prec="0x00" ttl="61" srcport="43518" dstport="1812"
SRC: 10.x.x.59 is where the request is coming from over the VPN IPSec Tunnel and 10.y.y.245 is the radius behind Sophos. I also removed the SNAT rule as well.
Im not sure if this is what your looking for? Thanks
Removing the SNAT was definitely the right thing. Please insert a picture of the rule that you believe allows this traffic.
Cheers - BobPS Montreal, eh. Are you sure that other device even wants to speak English with yours?
These are the rules i believe allow the traffic over the IPSec:
(The External network is the public subnet in the AWS VPC. An elastic IP is assigned to the local IP of the External Interface)
i hope they speak English to each other :p
The fact that you're not showing a block of the RADIUS traffic indicates there's a routing problem. Please show a picture of the Edit of "BC HQ Internal" with 'Advanced' open.
Sorry but can you elaborate on that? Not sure what to give you a screenshot of?
The Network definition in the last picture you included, Mike.
Are you certain that that doesn't overlap with "Internal (Network)," Mike?
No they dont. The network internal is 10.0.x.x and the VPC is 10.100.x.x. As mentioned earlier, traffic is flowing between both networks and connectivity is good. The only thing that stopped working when i introduced the Sophos was the radius authentication traffic. this is where im stumped at the moment.
It has to be a routing problem, Mike, so I think you're stuck with using tcpdump and espdump.
To use espdump, you first need to know the REF of the IPsec Connection object. Say the name assigned to it was "Home Office." Run the following as root at the command line
cc get_object_by_name 'ipsec_connection' 'site_to_site' 'Home Office'|grep 'ref'
If that returns REF_IpsSitHomeOffice, watch traffic in the tunnel with:
espdump -n --conn REF_IpsSitHomeOffice -vv