This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN routing problem

For logistic reasons I have configured TWO DISTINCT Sophos UTM on my company:

SOPHOS UTM1 (servers):

- Internal network 172.16.11.111 (internet DNS server, File server, etc.)

- DMZ1 (Internet authoritative DNS servers)

- DMZ2 (FTP servers)

- DMZ3 (DB servers)

- External network (Internet - Full asymmetrical fixed-IP link)


SOPHOS UTM2 (clients):

- Internal network 172.16.11.112 (clients connection)

- External network (Internet - normal VDSL connection)

Servers Gateway: 172.16.11.111 (UTM1 Full Link internet connection)
Clients Gateway: (172.16.11.112 (UTM2 VDSL internet connection)

All servers and clients - made exception of the servers in the DMZ - are configured with the same subnet and are physically connected to the same network.

The only difference is that the Gateway on the servers is configured to use the features and Internet access of the UTM1 while the Gateway on the clients is configured to use the features and Internet access of the UTM2

Same internal DNS server.

All remote connections from the outside are made on the UTM1 (via fixed-IPs).

I configured a remote SSL VPN connection to the UTM1.
I am able to work remotely on all servers ... whether on the internal network or the DMZ.
But...
I'm not even able to "see" the clients (on the internal network) or the UTM2... no ping .... no remote connection ... nothing.
Summing up...
I can connect and work on all machines that are configured with Gateway pointing to UTM1
I can not even see, connect, or work on machines that are configured with Gateway pointing to UTM2.
Even if the machines are physically connected to the same switches and on the same network.
I can ping 172.16.11.111 (UTM1) but I can not ping 172.16.11.112 (UTM2) ... for example.

Any idea? I can not see which setting is missing ....



This thread was automatically locked due to age.
  • "I can not even see, connect, or work on machines that are configured with Gateway pointing to UTM2."

    This is just the way IP networking works, Omar.  When you ping or connect to one of the clients, the source IP is in "VPN Pool (SSL)" which is not in the same subnet as the client, so it sends the response to the default gateway - UTM2.  UTM2 doesn't have any idea what to do with the packet, so it's just dropped.  You probably can find these drops in the Firewall log of UTM2.

    There's more than one way to solve this problem (in order of my personal preferences with 1 as my personal choice):

    1. Configure everything on UTM1 and eliminate UTM2.
    2. Change "VPN Pool (SSL)" on UTM1 to 10.242.22.0/24 on UTM1.  Add to UTM2 a Static Gateway Route '10.242.22.0/24 -> 172.16.11.111'.
    3. If you're the only SSL VPN client that accesses UTM1, make a NAT rule like 'SNAT : VPN Pool (SSL) -> {Ping & other Services} -> Internal (Network) : from Internal (Address)'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sometimes we are looking for complex solutions where, in reality, the solution is very simple and under our eyes.
    Many thanks for the quick response.

    For now I configured the static route on UTM2 and created a firewall policy by opening Internal traffic for the SSL VPN address range.

    I will next study the possibility of eliminating UTM2.

    Thanks again for the tip.