Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 41 subscribers
  • Views 2070 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN setup with no Internet access but needs one VPN Connection to access Internet

Patrick Coy

I have successfully set up a VLAN between my XG 210 and two Netgear ProSafe Managed Switches. VLAN Clients are not allowed access to the Internet, but do have access to the Network Storage. This is all working beautifully! 

What I need to do next is allow one of the VLAN Clients to access the Internet through a VPN connection and single user login. When I run the Sophos SSL VPN Client from the VLAN I can connect to the VPN, but I am still not able to connect to the Internet...

Thank you for any suggestions,

Patrick



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Patrick Coy,

    Could you please explain the use case of this configuration? If I understood your request correct, you are trying to configure SSL Remote VPN for one user on VLAN and connect that user to the firewall through SSL Remote VPN and than access the internet? Correct me if I am wrong. 

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

    We are in the Entertainment Industry and per security guidelines within a current project we cannot have our Users on this project have Internet access. This is to prevent leaked materials from within being made available before the release date, which is unfortunately very prevalent in our industry. That's why I created the VLAN with internal Storage access, but no Internet access.

    However... One Workstation will need access to the Internet for receiving and sending data to the Client that we are doing the work for. Per their protocols any User on this project must be on a VLAN without Internet access, that's done, along with one Workstation that can access the Internet via VPN. 

    Thank you for the reply!

    Patrick

  • FormerMember
    0 FormerMember in reply to Patrick Coy

    Hi Patrick Coy,

    You have that workstation part of the VLAN and wants to allow internet access through VPN? Do you have third party VPN service? or you are trying to find a way to configure SSL Remote VPN on firewall to achieve this? 

    Thanks,

  • 0 in reply to FormerMember

    Thanks for the reply! This would be using the SSL Remote VPN on my XG firewall.

     

    Patrick

  • +2 in reply to Patrick Coy

    Hi  

    Please follow KBA here:  https://community.sophos.com/kb/en-us/122769

    This KBA shows detailed steps on how to setup SSL VPN connection to the XG.  You should be able to connect to the LAN interface of the XG for SSL VPN connection.  From there you can then add a firewall rule with source zone of "VPN" and destination zone of "WAN" and attach the user identity to this rule.  This will ensure that only the authenticated user can access the WAN.

    Let us know how it goes.

    Thanks!

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply Children
  • 0 in reply to KingChris

    Thanks KingChris! I have followed this document and it didn't work; however, I will go through it again and make sure I'm covering every step... Just in case :)

     

    Patrick

  • +1 in reply to Patrick Coy

    I've got a solution, although not how I was originally trying to set it up.

    • I have two firewalls:
      • Sophos XG 210
      • SonicWall 4500 
    • The lone computer with Internet access for this project now sits on the SW4500, instead of the XG
      • That way it can have full Internet access but not touch the internal network on the XG
    • When data needs to be transferred to or from the internal network to the Internet, then the approved user will log into the VPN
      • From their that user will be able to complete their transfers!

    Thanks for the suggestions,

    Patrick

Unfiltered HTML