This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: Access to SSL Client side

There is a SSL VPN client connection to a Sophos XG Firewall. The Connection is fine. From the client side i get access to the XG Firewall local LAN. Now i need also access from XG Firewall local LAN to the Client LAN.

I have two Firewall Rules.

- VPN to LAN
- LAN to VPN

What else do I need.

Thank's community.

This thread was automatically locked due to age.

Parents

0 lferrara over 4 years ago

Marcel,

did you follow this kb?

https://community.sophos.com/kb/en-us/122769

You only need VPN to LAN and not vice-versa.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to lferrara

Yes, i folllowed exactly this kb. As i said. Access from Client LAN to local LAN (XG side) is possible. But i need also access from local LAN to Client LAN.
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Marcel Ruch

Marcel,

Can you explain a bit better? Do you need to access a lan that is behind a S2S vpn?
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to lferrara

Ok. Let's try to explain.

--------------------------------------------- VPN SSL Connection -----------------------------------------------

| SSL VPN Client, LAN 192.168.75.0/24 | <-------------------------> | XG Firewall, local LAN 192.168.11.0/24 |

--------------------------------------------- -----------------------------------------------

Access from Client LAN to XG Firewall local LAN is ok.

MANAGEMENT: >STATE:1580996743,CONNECTED,SUCCESS,10.81.234.6,46.14.83.102,8443,192.168.75.223,58254

Ping wird ausgeführt für 192.168.11.101 mit 32 Bytes Daten:
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127

Ping-Statistik für 192.168.11.101:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 21ms, Maximum = 21ms, Mittelwert = 21ms

But i don't have access from XG Firewall local LAN to VPN Client LAN.

Ping wird ausgeführt für 10.81.234.6 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.

Ping-Statistik für 10.81.234.6:
Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1
(100% Verlust)

or

Ping wird ausgeführt für 192.168.75.5 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 192.168.75.5:
Pakete: Gesendet = 3, Empfangen = 0, Verloren = 3
(100% Verlust)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Marcel Ruch over 4 years ago in reply to lferrara

Ok. Let's try to explain.

--------------------------------------------- VPN SSL Connection -----------------------------------------------

| SSL VPN Client, LAN 192.168.75.0/24 | <-------------------------> | XG Firewall, local LAN 192.168.11.0/24 |

--------------------------------------------- -----------------------------------------------

Access from Client LAN to XG Firewall local LAN is ok.

MANAGEMENT: >STATE:1580996743,CONNECTED,SUCCESS,10.81.234.6,46.14.83.102,8443,192.168.75.223,58254

Ping wird ausgeführt für 192.168.11.101 mit 32 Bytes Daten:
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127

Ping-Statistik für 192.168.11.101:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 21ms, Maximum = 21ms, Mittelwert = 21ms

But i don't have access from XG Firewall local LAN to VPN Client LAN.

Ping wird ausgeführt für 10.81.234.6 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.

Ping-Statistik für 10.81.234.6:
Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1
(100% Verlust)

or

Ping wird ausgeführt für 192.168.75.5 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 192.168.75.5:
Pakete: Gesendet = 3, Empfangen = 0, Verloren = 3
(100% Verlust)
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 lferrara over 4 years ago in reply to Marcel Ruch

Thanks for the info.

Where are you executing the ping command?
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

Please login to SSH access of the device and select option 4. Device console and execute the command

tcpdump 'host <IPaddress of the SSL VPN client>

Initiate the traffic and share the output

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to lferrara

Both sides. I liked to show you that the ping is working from client side to XG LAN side, but not from XG LAN side to client side.
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Keyur

Here is the tcpdump result:

console> console> tcpdump 'host 192.168.75.223'
% Error: Unknown Parameter 'console>'
console> tcpdump: Starting Packet Dump
% Error: Unknown Parameter 'tcpdump:'
request, id 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:23.222963'
equest, i d 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:23.223015'
request, id 1, seq 211, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:23.223304'
request, id 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:28.079108'
equest, i d 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:28.079120'
request, id 1, seq 212, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:28.079410'
request, id 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:33.079425'
equest, i d 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:33.079441'
request, id 1, seq 213, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:33.079738'
request, id 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:38.079755'
equest, i d 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:38.079765'
request, id 1, seq 214, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:38.080040'
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

When you log in to console, you will get the prompt as console>, you do not have to type it,

Please refer to the article- https://community.sophos.com/kb/en-us/123567

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Keyur

Sorry for that.

console> tcpdump 'host 192.168.75.223'
tcpdump: Starting Packet Dump
08:53:25.266391 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:25.266441 br0, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:25.266559 Port2, OUT: IP 46.14.83.102 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:30.134462 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 216, length 40
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

Please share the output of the below command

console> system route precedence show

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Keyur

Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Marcel Ruch

I found something similar at https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/53884/ssl-vpn-client-to-client-communication

But I don't know exactly how to set the nat rule.
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

Do you have added any Policy Routing in the XG configuration?

Please verify from Routing >> Static Routing and Policy Routing

We need to check by setting VPN precedence on top

Please execute the command

console> system route_precedence set vpn

Please verify and let me know

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel