Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: Access to SSL Client side

There is a SSL VPN client connection to a Sophos XG Firewall. The Connection is fine. From the client side i get access to the XG Firewall local LAN. Now i need also access from XG Firewall local LAN to the Client LAN.

I have two Firewall Rules.

- VPN to LAN
- LAN to VPN

What else do I need.

Thank's  community.



This thread was automatically locked due to age.
Parents
  • Marcel,

    did you follow this kb?

    https://community.sophos.com/kb/en-us/122769

    You only need VPN to LAN and not vice-versa.

    Regards

  • Yes, i folllowed exactly this kb. As i said. Access from Client LAN to local LAN (XG side) is possible. But i need also access from local LAN to Client LAN.

  • Marcel,

    Can you explain a bit better? Do you need to access a lan that is behind a S2S vpn?

  • Ok. Let's try to explain.

    ---------------------------------------------        VPN SSL Connection    -----------------------------------------------

    | SSL VPN Client, LAN 192.168.75.0/24 |  <-------------------------> | XG Firewall, local LAN 192.168.11.0/24 |

    ---------------------------------------------                                         -----------------------------------------------

    Access from Client LAN to XG Firewall local LAN is ok.

    MANAGEMENT: >STATE:1580996743,CONNECTED,SUCCESS,10.81.234.6,46.14.83.102,8443,192.168.75.223,58254

    Ping wird ausgeführt für 192.168.11.101 mit 32 Bytes Daten:
    Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
    Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
    Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
    Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127

    Ping-Statistik für 192.168.11.101:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
    Ca. Zeitangaben in Millisek.:
    Minimum = 21ms, Maximum = 21ms, Mittelwert = 21ms

     

    But i don't have access from XG Firewall local LAN to VPN Client LAN.

     

    Ping wird ausgeführt für 10.81.234.6 mit 32 Bytes Daten:
    Zeitüberschreitung der Anforderung.

    Ping-Statistik für 10.81.234.6:
    Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1
    (100% Verlust)

    or 

    Ping wird ausgeführt für 192.168.75.5 mit 32 Bytes Daten:
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.

    Ping-Statistik für 192.168.75.5:
    Pakete: Gesendet = 3, Empfangen = 0, Verloren = 3
    (100% Verlust)

  • Thanks for the info.

    Where are you executing the ping command?

  • Hi  

    Please login to SSH access of the device and select option 4. Device console and execute the command

    tcpdump 'host <IPaddress of the SSL VPN client> 

    Initiate the traffic and share the output

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply Children
  • Here is the tcpdump result:

    console> console> tcpdump 'host 192.168.75.223'
    % Error: Unknown Parameter 'console>'
    console> tcpdump: Starting Packet Dump
    % Error: Unknown Parameter 'tcpdump:'
    request, id 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:23.222963'
    equest, i d 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo r
    % Error: Unknown Parameter '08:37:23.223015'
    request, id 1, seq 211, length 40102 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:23.223304'
    request, id 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:28.079108'
    equest, i d 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo r
    % Error: Unknown Parameter '08:37:28.079120'
    request, id 1, seq 212, length 40102 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:28.079410'
    request, id 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:33.079425'
    equest, i d 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo r
    % Error: Unknown Parameter '08:37:33.079441'
    request, id 1, seq 213, length 40102 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:33.079738'
    request, id 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:38.079755'
    equest, i d 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo r
    % Error: Unknown Parameter '08:37:38.079765'
    request, id 1, seq 214, length 40102 > 192.168.75.223: ICMP echo
    % Error: Unknown Parameter '08:37:38.080040'

  • Hi  

    When you log in to console, you will get the prompt as console>, you do not have to type it, 

    Please refer to the article-  https://community.sophos.com/kb/en-us/123567

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Sorry for that.

    console> tcpdump 'host 192.168.75.223'
    tcpdump: Starting Packet Dump
    08:53:25.266391 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
    08:53:25.266441 br0, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
    08:53:25.266559 Port2, OUT: IP 46.14.83.102 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
    08:53:30.134462 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 216, length 40

  • Hi  

    Please share the output of the below command

    console> system route precedence show

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Default routing Precedence:
    1. Policy routes
    2. VPN routes
    3. Static routes

  • Hi  

    Do you have added any Policy Routing in the XG configuration?

    Please verify from Routing >> Static Routing and Policy Routing

    We need to check by setting VPN precedence on top

    Please execute the command

    console> system route_precedence set vpn

    Please verify and let me know

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • There ist no policy or static route defined.

     

    Here is the result of system route_precedence set vpn

    console> system route_precedence set vpn
    vpn VPN routes

     

    Still no access to client side.

  • Hi  

    Based on the data you provided, I see you are using a bridge interface.  Is this correct?  Are you actually trying to bridge 2 networks together or are you just plugging in the ports assigned in the bridge?  I would recommend you remove the bridge interface and setup the LAN interface on the correct port.  Please note that doing this will remove the IP from the bridge interface, so you will need another IP on the XG to connect to.

    On another note, have you disabled windows firewall on the ssl vpn client side?  Windows firewall always blocks pings out of the box.  Also to note that if you are not using a full tunnel and the user on the other end has the same IP range on their LAN network as your LAN network, then this will cause problems.

    Try changing to a full tunnel on the XG SSL VPN and disabling windows firewall completely to see if it helps.  I also recommend having a rule VPN-LAN and LAN-VPN without routing or MASQ applied.  You can also try pinging the end system from the XG.  If there is no response to the XG, then the problem lies on the end client device.

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link