Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 14131 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Localhost unable to browse remote VPN client

Kang Soh

Hello,

I'm a relative newbie with regards to VPN/Sophos UTM configuration so everyone's help would be appreciated.

I have a remote NAS configured to connect via PPTP to our Sophos UTM device. It is successfully connected, and is assigned an IP address from the VPN pool.

I am able to ping the assigned IP address from a workstation within the local network. 

However, when I attempt to open the web management interface of the device, or browse to the share, I am unable to do so, and I see the following entry in the firewall log-

2017:09:26-11:04:26 boraamfw1 ulogd[4633]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:25:b3:27:84:50" dstmac="00:1a:8c:46:56:40" srcip="192.168.1.128" dstip="10.242.1.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="54888" dstport="80" tcpflags="SYN"

I have attempted to temporarily allow all traffic through the firewall by creating a "Any-Any-Any" rule, however this does not appear to effect the situation, as the packets are still shown as being dropped in the log.

PPTP connection tracking helper is enabled on the UTM.

Any assistance in troubleshooting this problem would be appreciated.

 

Thank you!



This thread was automatically locked due to age.
  • 0

    Hi, Kang Soh, and welcome to the UTM Community!

     I haven't tried the following, but I think it might work.  Assuming the Remote device is signed into PPTP as "NAS,"

    1. On the Internal Interface, define an Additional Address "NAS Device" as a /32 
    2. Create a NAT rule with automatic firewall rules:
      • DNAT : Any -> Any -> Internal [NAS Device] (Address) : to NAS (User Network)

    Now, when the NAS device is connected to PPTP Remote Access, you should be able to connect via the Additional Address.

    Did that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for the help- I did try as you suggested, but unfortunately I'm still running into the same error/issue.

     

    The log file still shows the same error when I try to do anything other than ping the host. I don't know why ICMP packets get routed/through, but others don't.

     

    Any other ideas would be appreciated.

     

    Thank you

  • 0 in reply to Kang Soh

    Probably some kind of masquerading rule is missing. Are you masquerading pptp to your internal network?

    Sorry, seems trivial, but you are in good hands with Bob.

  • 0 in reply to Billybob

    Might be worth trying, however I did not set it up as I thought that IP masquerading was only required if I wanted the VPN client to be able to use the LAN's gateway for internet traffic?

    I'll can give it a shot however....

    Thanks!

  • 0 in reply to Kang Soh

    Please show us the Edit of your NAT rule.

    Cheers - Bob
    PS Bill, if a masq rule is required, it's an indication of a misconfiguration elsewhere - nothing wrong with a bandaid though!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    I think this is what you're asking to see-

     

    • status switch (status) = 1
    • group (group) = empty value
    • traffic source (source) = any address object "Any"
    • traffic service (service) = any service object "Any"
    • traffic destination (destination) = interface address object "External- Comcast (WAN) [PPTP Test] (Address)"
    • destination address (destination_nat_address) = user or group network object "remotebackup (User Network)"
    • destination service (destination_nat_service) = empty value
    • source address (source_nat_address) = empty value
    • source service (source_nat_service) = empty value
    • log switch (log) = 0
    • auto-packetfilter rule switch (auto_pfrule) = 1
    • comment (comment) = empty value
    • apply to IPsec switch (ipsec) = 0

     

    If it isn't what you need, please let me know and I'll try again to get the information.

    For what it's worth, I did have a couple hour phone call with tech support today, and they basically said at the end of it that they couldn't figure it out, so I'm not holding out much hope, but your continued efforts at assistance are appreciated.

    Thanks!

  • 0 in reply to Kang Soh

    There's the problem:

    traffic destination (destination) = interface address object "External- Comcast (WAN) [PPTP Test] (Address)"

    That should be on the Internal interface, not the External.  The external IP is not a part of your PPTP tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML