PROBLEM:
I would appreciate some help from the community. I am able to successfully connect an IoS OpenVPN client using the downloaded profile, and am able access the WAN properly through VPN (shows my ip address is within the new VPN network - WAN port as expected). However, I am unable to ping or get access to LAN devices. It seems like I am missing something quite simple - I've read through dozens of posts and tried various things but can't seem to get the two subnets to talk to each other.
CONFIGURATION:
My SSL VPN setup that was determined to be working and can be cloned if desired. Source of network error was Bitdefender Dynamic Firewall on PC, see SOLUTION at bottom:
Sophos XG Mode: Internet Gateway Mode (Route Mode)
Firmware Version: SFOS 17.5.0 GA
Hardware: Qotom Q355G4, i5-5300U, 8GB RAM, 128GB SSD, 4 Intel NICs (Qotom NICs are finally properly order by the way)
Local LAN config: 172.16.16.16 (SophosXG), DHCP lease 172.16.16.17-172.16.16.254 /24(255.255.255.0)
SSL VPN config:
Protocol: UDP
Port: 8443
Lease mode: IPv4 only
IPv4 range 10.81.234.5-10.81.234.55 /24(255.255.255.0)
Policy members: craig (specific user)
Use as default gateway: On (all VPN client traffic including WAN/Internet sent through VPN)
Permitted network resources (IPv4): Local_Subnet (IP host Type:Network, IP address:172.16.16.0, Subnet:/24 (255.255.255.0))
Firewall rules:
Rule Name: VPN to LAN
Description: allow unrestricted traffic between VPN and LAN
Source: VPN & LAN, Any host
Destination: VPN & LAN, Any host
What: Any Service
Action: Accept
Match known users: Off
Rewrite source address: On
Use outbound address: MASQ
Primary Gateway: None
Rule Name(s): LAN/VPN to WAN Rule(s) (possibly multiple rules - add VPN to all LAN to WAN traffic rules as desired if enabling "Use as default gateway" above)
Source: LAN & VPN, Any host
Destination: WAN, Any host
What: Any Service
Action: Accept
Match known users: Off
Rewrite source address: On
Use outbound address: MASQ
Primary Gateway: WAN link load balance
Web Policy: Default Policy (or other as desired)
STATUS: Solved, see solution post - Bitdefender on PC was blocking. Needed to make updates to Bitdefender to change default Dynamic Firewall settings which interfere with Sophos XG SSL VPN Remote Access.
SOLUTION: For those of you with Bitdefender Firewall running on their PCs, I had to do the following to allow external Ping requests to work consistently:
1. Firewall Settings, Network Adapters, set Ethernet NIC to "Home/Office"
2. Firewall Settings, Settings, Edit stealth settings, disable Stealth Mode for Ethernet NIC
3. Firewall Settings, Settings, Edit default rules, change default application behavior to "Allowed" for Ethernet NIC
This thread was automatically locked due to age.