This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN: Access to SSL Client side

There is a SSL VPN client connection to a Sophos XG Firewall. The Connection is fine. From the client side i get access to the XG Firewall local LAN. Now i need also access from XG Firewall local LAN to the Client LAN.

I have two Firewall Rules.

- VPN to LAN
- LAN to VPN

What else do I need.

Thank's community.

This thread was automatically locked due to age.

Parents

0 lferrara over 4 years ago

Marcel,

did you follow this kb?

https://community.sophos.com/kb/en-us/122769

You only need VPN to LAN and not vice-versa.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to lferrara

Yes, i folllowed exactly this kb. As i said. Access from Client LAN to local LAN (XG side) is possible. But i need also access from local LAN to Client LAN.
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Marcel Ruch

Marcel,

Can you explain a bit better? Do you need to access a lan that is behind a S2S vpn?
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to lferrara

Ok. Let's try to explain.

--------------------------------------------- VPN SSL Connection -----------------------------------------------

| SSL VPN Client, LAN 192.168.75.0/24 | <-------------------------> | XG Firewall, local LAN 192.168.11.0/24 |

--------------------------------------------- -----------------------------------------------

Access from Client LAN to XG Firewall local LAN is ok.

MANAGEMENT: >STATE:1580996743,CONNECTED,SUCCESS,10.81.234.6,46.14.83.102,8443,192.168.75.223,58254

Ping wird ausgeführt für 192.168.11.101 mit 32 Bytes Daten:
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127
Antwort von 192.168.11.101: Bytes=32 Zeit=21ms TTL=127

Ping-Statistik für 192.168.11.101:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 21ms, Maximum = 21ms, Mittelwert = 21ms

But i don't have access from XG Firewall local LAN to VPN Client LAN.

Ping wird ausgeführt für 10.81.234.6 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.

Ping-Statistik für 10.81.234.6:
Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1
(100% Verlust)

or

Ping wird ausgeführt für 192.168.75.5 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 192.168.75.5:
Pakete: Gesendet = 3, Empfangen = 0, Verloren = 3
(100% Verlust)
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Marcel Ruch

Thanks for the info.

Where are you executing the ping command?
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

Please login to SSH access of the device and select option 4. Device console and execute the command

tcpdump 'host <IPaddress of the SSL VPN client>

Initiate the traffic and share the output

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to lferrara

Both sides. I liked to show you that the ping is working from client side to XG LAN side, but not from XG LAN side to client side.
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Keyur

Here is the tcpdump result:

console> console> tcpdump 'host 192.168.75.223'
% Error: Unknown Parameter 'console>'
console> tcpdump: Starting Packet Dump
% Error: Unknown Parameter 'tcpdump:'
request, id 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:23.222963'
equest, i d 1, seq 211, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:23.223015'
request, id 1, seq 211, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:23.223304'
request, id 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:28.079108'
equest, i d 1, seq 212, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:28.079120'
request, id 1, seq 212, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:28.079410'
request, id 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:33.079425'
equest, i d 1, seq 213, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:33.079441'
request, id 1, seq 213, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:33.079738'
request, id 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:38.079755'
equest, i d 1, seq 214, length 40.38 > 192.168.75.223: ICMP echo r
% Error: Unknown Parameter '08:37:38.079765'
request, id 1, seq 214, length 40102 > 192.168.75.223: ICMP echo
% Error: Unknown Parameter '08:37:38.080040'
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

When you log in to console, you will get the prompt as console>, you do not have to type it,

Please refer to the article- https://community.sophos.com/kb/en-us/123567

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Keyur

Sorry for that.

console> tcpdump 'host 192.168.75.223'
tcpdump: Starting Packet Dump
08:53:25.266391 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:25.266441 br0, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:25.266559 Port2, OUT: IP 46.14.83.102 > 192.168.75.223: ICMP echo request, id 1, seq 215, length 40
08:53:30.134462 Port1, IN: IP 192.168.11.38 > 192.168.75.223: ICMP echo request, id 1, seq 216, length 40
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

Please share the output of the below command

console> system route precedence show

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Keyur

Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Marcel Ruch over 4 years ago in reply to Keyur

Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Marcel Ruch over 4 years ago in reply to Marcel Ruch

I found something similar at https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/53884/ssl-vpn-client-to-client-communication

But I don't know exactly how to set the nat rule.
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

Do you have added any Policy Routing in the XG configuration?

Please verify from Routing >> Static Routing and Policy Routing

We need to check by setting VPN precedence on top

Please execute the command

console> system route_precedence set vpn

Please verify and let me know

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Marcel Ruch over 4 years ago in reply to Keyur

There ist no policy or static route defined.

Here is the result of system route_precedence set vpn

console> system route_precedence set vpn
vpn VPN routes

Still no access to client side.
Cancel
Vote Up 0 Vote Down

Cancel
0 KingChris over 4 years ago in reply to Marcel Ruch

Hi Marcel Ruch

Based on the data you provided, I see you are using a bridge interface. Is this correct? Are you actually trying to bridge 2 networks together or are you just plugging in the ports assigned in the bridge? I would recommend you remove the bridge interface and setup the LAN interface on the correct port. Please note that doing this will remove the IP from the bridge interface, so you will need another IP on the XG to connect to.

On another note, have you disabled windows firewall on the ssl vpn client side? Windows firewall always blocks pings out of the box. Also to note that if you are not using a full tunnel and the user on the other end has the same IP range on their LAN network as your LAN network, then this will cause problems.

Try changing to a full tunnel on the XG SSL VPN and disabling windows firewall completely to see if it helps. I also recommend having a rule VPN-LAN and LAN-VPN without routing or MASQ applied. You can also try pinging the end system from the XG. If there is no response to the XG, then the problem lies on the end client device.

Thanks!

KingChris
Community Support | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel