Can you keep the same IP when remoting into network?

Hello kieranfame,

You could bridge your RED device to your LAN, that would be the easiest method by physically extending your LAN to the remote site.

For the SSL VPN you could NAT the SSL VPN pool to the internal address to masquerade as the internal interface address but that may have unforeseen consequences.

Let me know how that goes and I can replicate it on my UTM and poke around with methods to do that. This seems like a cool problem to solve but totally possible.

Trevor 

Many thanks for the reply.

I have considered bridging the RED network. The problem with that is it would send all the data down the tunnel unless static routes are put on the remote side's router. Not impossible, just awkward. And it would limit the remote working to known networks with REDs.

Using NAT masquerading sounds more like it. Can you explain the working theory a little more?

I have created a NAT Masq from VPN SSL pool to Internal network, but I can't see how I could specify the IP address used. Which I think means that the IP will either be seen by the software server as one from the VPN pool or at best, the gateway for the Internal network. Either way I couldn't specify the same IP from inside the network.

This would make all your remote clients appear as if they have the UTM's IP address to clients on the LAN. Would that work with your software or do the clients need different IP addresses?

If you need different addresses you would need a 1:1 NAT between the VPN pool and the LAN network.

Have you discussed options with your vendor?   License by static IP iis very odd.  It is too easy to defeat and too cumbersome for most environments where DHCP is normal or laptops are mobile.

But given that this is their model, they may consider your efforts to border on piracy.

Thanks again for the replies.

I'm ok with the licencing issues, the vendor suggests either remote desktop or purchasing another licence. The system only allows a set number of IPs to connect concurrently and I'm not trying to connect any more than I pay for.

Thanks.

I think I would struggle with using the UTM's address, it would make using the same laptop from within the network awkward and would only allow 1 remote worker at a time I think.

I will investigate the 1:1 NAT option first. Will this allow more than 1 remote worker?

If the local Internal network IP is NAT'd in this way will the system allow me to use the same IP when the laptop is in the office? (The UTM currently assigns the laptop the same IP based on its mac address.)

What are the wider implications for remote workers when they are connected in this way?

The RED is a separate issue and you may want to ask laptop users to come in via VPN when not in the office if you can't assign static IPs behind the RED.

With the VPN, you can use NAT, but I wouldn't try masquerading or 1:1.  Instead, take advantage of the fact that "John (User Network)" is populated when user "John" connects via VPN and use an SNAT for each laptop as follows:

SNAT : John (User Network) -> {ports} -> {Host for server} : from {Host for John's laptop}

Cheers - Bob

Many thanks for the help.

I'm a little stuck by the ports bit in your explanation. Are you defining the ports for security or because they are necessary for it to work?

In this case, remote workers need access to the whole network called 'Internal' and not just access to the software server. Does that mean that defining the ports is not necessary?

For traffic from: I used the 'John (User Network)'

Ports: I left at any

Going to: I used 'Internal Network'

Change the souorce to: I created a host for 'Johns Laptop' (with the IP I want on the Internal Network, using johns laptop MAC address, interface: Any)

Is this correct?

In my suggestion above, "John (User Network)" is the object populated with the assigned IP in "VPN Pool (SSL)" when user "John" logs into the SSL VPN.  "{ports}" is whatever ones must be allowed to reach the licensing server.  "{Host for Server}" in the Host definition that contains the internal IP of the licensing server. "{Host for John's laptop}" is the Host used by DHCP to assign a static IP to John's laptop when he's in the office.

For this to work, the licensing server must not be in the same subnet as the static IP assigned to John's laptop when he's in the office - the licensing server must be in a DMZ outside "Internal (Network)."

The SNAT is just for the server counting IPs, not for any entire subnet.

Cheers - Bob

Ah I see.

When john dials in from home, he needs both access to the Internal network and the software server that authenticates users by IP.

Unfortunately, I can't touch the software server as it's under maintenance and I really don't want to re address the Internal Network because it's probably over 100 clients.

Does that scupper this idea?

The software server has a list of IP's that it will authenticate.

192.168.10.3

192.168.10.4

192.168.10.5

192.168.2.2 (from vpn pool)

The server resides at 192.168.10.100

The Sophos DHCP server assigns laptops the same IP by MAC address, everything else is on static IPs