In https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/53527 , mrainey posed a question about doing: [home client] -> (SSL Remote Access) -> [ASG220] -> (IPsec Site-to-Site) -> [ASG120] -> [Terminal Server] He was unable to accomplish this without: adding the 'VPN Pool (SSL)' to 'Local networks' for the 'IPsec Connection' on the ASG220 creating a network definition on the 120 (SSL Pool on the 220) and adding it to 'Remote networks' for the 'Remote gateway' in the 120. This makes it appear like he needs to alllow the internal network of the 120 to access the 'VPN Pool (SSL)' on the 220. Is that an idiosyncracy of Terminal Server, or is there a flaw in my understanding?* Thanks - Bob *OK, OK, I know there are lots of flaws. [:D]

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic VPN question

In https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/53527, mrainey posed a question about doing:

[home client] -> (SSL Remote Access) -> [ASG220] -> (IPsec Site-to-Site) -> [ASG120] -> [Terminal Server]

He was unable to accomplish this without:

adding the 'VPN Pool (SSL)' to 'Local networks' for the 'IPsec Connection' on the ASG220
creating a network definition on the 120 (SSL Pool on the 220) and adding it to 'Remote networks' for the 'Remote gateway' in the 120.

This makes it appear like he needs to alllow the internal network of the 120 to access the 'VPN Pool (SSL)' on the 220. Is that an idiosyncracy of Terminal Server, or is there a flaw in my understanding?*

Thanks - Bob
*OK, OK, I know there are lots of flaws. [:D]

This thread was automatically locked due to age.

Parents

0 BAlfson over 14 years ago

Right, that also works without strict routing. With strict routing the SNAT approach recommended in the KB article doesn't work. Thanks, I've modified the post again.

I wonder - instead of a SNAT in Site A, would a gateway route in the resource at Site B, '[VPN Pool for Site A]->[Internal (Address) of Site A]', work? Would strict routing need to be disabled for that to work?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Similian Sinclair over 6 years ago in reply to BAlfson

Bob !

Sorry to kinda reopen on you 8 years later - just in case someone reads this like I did.

If your Site-to-Site is trusted and/or you would like to do fine grained access control.

Please don't do any kind of NAT.

As Bob suggested you can do a Route - and please do so !

Regards

Maximilian S.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Similian Sinclair

Hi, Similian, and welcome to the UTM Community! Great nickname!

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 6 years ago in reply to Similian Sinclair

Hi, Similian, and welcome to the UTM Community! Great nickname!

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data