Can you keep the same IP when remoting into network?

Hello kieranfame,

You could bridge your RED device to your LAN, that would be the easiest method by physically extending your LAN to the remote site.

For the SSL VPN you could NAT the SSL VPN pool to the internal address to masquerade as the internal interface address but that may have unforeseen consequences.

Let me know how that goes and I can replicate it on my UTM and poke around with methods to do that. This seems like a cool problem to solve but totally possible.

Trevor 

Many thanks for the reply.

I have considered bridging the RED network. The problem with that is it would send all the data down the tunnel unless static routes are put on the remote side's router. Not impossible, just awkward. And it would limit the remote working to known networks with REDs.

Using NAT masquerading sounds more like it. Can you explain the working theory a little more?

I have created a NAT Masq from VPN SSL pool to Internal network, but I can't see how I could specify the IP address used. Which I think means that the IP will either be seen by the software server as one from the VPN pool or at best, the gateway for the Internal network. Either way I couldn't specify the same IP from inside the network.

Ah I see.

When john dials in from home, he needs both access to the Internal network and the software server that authenticates users by IP.

Unfortunately, I can't touch the software server as it's under maintenance and I really don't want to re address the Internal Network because it's probably over 100 clients.

Does that scupper this idea?

The software server has a list of IP's that it will authenticate.

192.168.10.3

192.168.10.4

192.168.10.5

192.168.2.2 (from vpn pool)

The server resides at 192.168.10.100

The Sophos DHCP server assigns laptops the same IP by MAC address, everything else is on static IPs

If it helps...

If you have active directory and a domain, your vpn users can authenticate against radius and get an IP assigned by their dial in profile.  I can supply more details if required...

In that case, I would use a single NAT rule:

SNAT :  VPN Pool (SSL) -> {port(s)} -> {192.168.10.100} : from {192.168.2.2}

Depending on the way the server works, that may limit you to having a single laptop talking to the server when connected via SSL VPN.  It would be safer to use an IP that's neither in "VPN Pool (SSL)" nor in "Internal (Network)" instead of 192.168.2.2.

Cheers - Bob

Thanks for this tip, in this case there is no domain. I know, it's a weird system isn't it.

I just realised there may be some ambiguity in my responses, so just to make it clear.

Whilst I am fixed to a certain number of IP's, I can change what these are.
So I can either register the IP that john's laptop is assigned when remote (192.168.2.2)
or I can register the IP that Johns laptop is assigned when local on Internal network (192.168.10.7)
I could in theory register both, but this would double the cost of licencing all laptops.

Does this change your advise.
Given the above, would this work?

SNAT :  Johns laptop (User network) -> {ports(any)} -> {192.168.10.100} : from source{192.168.10.7}

Sticking to the example above I would then deregister the 192.168.2.2 IP and register 192.168.10.7
So that when John remotes in;
he gets assigned 192.168.2.2 the software server (192.168.10.100) sees traffic from John as being from his local IP 192.168.10.7
And when remote, john can still use printers etc on 192.168.10.0 subnet

Thanks for sticking with me on this, I'm sure I'm being a bit thick on this one.

This is tricky stuff - it is difficult to keep all of the details in your head.

Remember that you can't assign a fixed IP for an SSL VPN Remote Access user.  Also, you're getting confused between the "John (User Network)" object (created by WebAdmin when you define the user "John") that is populated with a VPN Pool IP and the unrelated "John's Laptop" Host object that DHCP uses to assign his laptop an IP when he's in the office behind the UTM.

If you have more than just John with a laptop that travels, I think we're down to the following for each user & laptop.  It would take too long to explain "why" I'm recommending this, so you'll just need to trust me. [;)]

1. Define a Network Group named "John's IPs" containing the "John (User Network)" object and the "John's laptop" Host.
2. Define a Host with an IP in a separate subnet named "John's Server Access" and register that IP in the server. For example 172.30.1.7.
3. SNAT : John's IPs -> Any -> {192.168.10.100} : from John's Server Access

Cheers - Bob

Thanks for your time, I very much appreciate it.

"Also, you're getting confused between the "John (User Network)" object.... " - yes, a great deal. Sorry about that, one of the sites john might connect from has a RED and I created a rule from that site that assigns his laptop a static IP. This is not important right now though.

"If you have more than just John with a laptop that travels..." Yes, there could be a few.

"you'll just need to trust me..." No problem, as long as you're not that Nigerian General who keeps emailing me, because I'm pretty sure he does not have a brother at the Banko Bongo.

"Define a Network Group named ..." I have created these and I will road test this later in the week. Thanks again.

Update... I'm having issues.

Many thanks to those who've helped thus far, especially Baifson. 

I have tested it from a remote connection, which works.

Unfortunately, it does not work from inside the network. The remote connections are SSL using the Sophos client and the remote dhcp pool, the local connections use a host to identify the PC and assign it an IP within the local subnet.

The IP I registered in the software server was 192.168.11.66 which is on a unique subnet and not part of any network. However, should I have registered a totally random one as suggested?

Further to the above...

Because this works from a remote connection and not from the internal network, I imagine that it has to do with both the source IP and the software server IP being of the same subnet.

Interestingly, when I first launch the software I get a communication error, then after that I get '192.168.10.x(my IP assigned by UTM) IP address not valid'. Note; that it recognises my actual IP rather than the SNAT'd IP of 192.168.11.66 every time until I restart. Then I get communication error again, followed by the IP address not valid again.

Also, how can I define a host for the RED network which is working in transparent split (has its own DHCP)? So I can add access from the RED site in the same way?

I Created a new network with a separate subnet and DHCP server, assigned it to eth3 then added a wireless AP to that port, then after adding the necessary rules it works from within the head office. Just branch office RED connection to sort now. I need to point to the Johns laptop host when the laptop is using external DHCP.

I Created a new network with a separate subnet and DHCP server, assigned it to eth3 then added a wireless AP to that port, then after adding the necessary rules it works from within the head office. Just branch office RED connection to sort now. I need to point to the Johns laptop host when the laptop is using external DHCP.