Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

site-to-site vpn - can ping but cannot ssh host on another site

peterson

sophos A (10.128.1.1) -> VPN -> sophos B (10.1.122.1 / 255.255.0.0) - LAN - host B 10.1.3.153 (255.255.0.0 / gateway 10.1.1.3) - gateway (10.1.1.3)

- sophos A can ping host B but cannot ssh host B
- sophos B can ping / ssh host B
- host B can ping / ssh sophos A

how to make sophos A can ssh host B?



This thread was automatically locked due to age.
  • 0

    Hi  : Thanks for reaching out to Sophos community team..!! Thanks for sharing the detail information with snapshot. 

    Here based on TCPDUMP output on Sophos B, Packet going out to Port4 with the original source IP ( Sophos A LAN IP) as NAT ID 0 and it seems reply from server not coming back. 

    Please check on host B this host/network (10.128.1.1) allowed for SSH service or reply getting generated by host B for XG A IP SSH request. 

    OR 

    (Sophos B end) Please add NAT rule for VPN to LAN traffic for 1 -2 host (XG IP 101.281.1.1, 1 machine hos A 10.128.1.X) from VPN to LAN for SSH service for testing purpose to do SNAT with MASQ and confirm SSH status. ( This NAT rule will do source NAT via Port4 out interface IP for VPN IP SSH traffic request to  host B) You may also check GUI/CLI packet capture during this request with NAT rule on Sophos B end.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question, use the 'Verify Answer' link.

    • 0 in reply to Vishal_R

      thank you very much for your reply. In host B, i set a static route to 10.128.x.x via gateway 10.1.122.1. i can ssh from 10.128.1.1. 

      this issue should be related to gateway 10.1.1.3. i will check this later