This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN: no access to internal network

Hi,

I have a problem here that drives me crazy: I want to set up VPN so users can dial in and use our servers behind the XG115. I've set up things according to https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/de-de/webhelp/onlinehelp/nsg/sfos/learningContents/CreatingRemoteAccessSSLVPN.html. Users can dial in and I can see their connection on the firewall console. They can still access internet but they cannot access the servers in the local network, nor can they PING them. When I toggle the "Use as standard gateway" button in  VPN/SSL-VPN, they cannot access the web any more. So the VPN ist working baiscally... anyone any idea please?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Did you create VPN to LAN firewall rule to provide access to internal resources?

    If you turn on 'Use as Default Gateway' in the SSL VPN profile then one additional VPN to WAN firewall rule will be required to provide web access to the end machines.

  • Yes I did:

    As for the external traffic, I basically do not want to use the "default gateway"-feature... I was just testing whether the VPN tunnel was working at all...

  • FormerMember
    0 FormerMember in reply to Phil_Br

    Try to add a linked NAT rule in VPN to LAN firewall rule with SNAT as default MASQ and check whether internal resources/servers are accessible or not.

    Also, please check the route table on the end machine and confirm that the local network route is listed or not.

    Run 'route print' in the command prompt.

    C:\Windows\system32>route print

  • I already set up the NAT rule:

    Route print shows: (192.168.178.1 is the XG115, 10.81.234.5 is the VPN Gate, 10.81.234.6 is the VPN client, 37.24.106.92 is the external IP)

    C:\Windows\System32>route print
    ===========================================================================
    Schnittstellenliste
      4...00 ff 0a 9b d5 f4 ......Sophos SSL VPN Adapter
     21...5e 5e cf c8 91 e7 ......VPN Client Adapter - VPN
     25...c8 5b 76 87 fc 75 ......Intel(R) Ethernet Connection I219-V
     35...00 15 5d 49 47 7e ......Hyper-V Virtual Ethernet Adapter
      5...f0 d5 bf 1c 6a ed ......Microsoft Wi-Fi Direct Virtual Adapter
     24...f2 d5 bf 1c 6a ec ......Microsoft Wi-Fi Direct Virtual Adapter #2
     14...f0 d5 bf 1c 6a ec ......Intel(R) Dual Band Wireless-AC 8260
     17...f0 d5 bf 1c 6a f0 ......Bluetooth Device (Personal Area Network)
      1...........................Software Loopback Interface 1
    ===========================================================================

    IPv4-Routentabelle
    ===========================================================================
    Aktive Routen:
         Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
              0.0.0.0          0.0.0.0    192.168.178.1  192.168.178.202     35
          10.81.234.0    255.255.255.0   Auf Verbindung       10.81.234.6    257
          10.81.234.6  255.255.255.255   Auf Verbindung       10.81.234.6    257
        10.81.234.255  255.255.255.255   Auf Verbindung       10.81.234.6    257
         37.24.106.92  255.255.255.255    192.168.178.1  192.168.178.202    291
          52.5.76.173  255.255.255.255      10.81.234.5      10.81.234.6    257
            127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
            127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
      127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
          172.29.32.0    255.255.240.0   Auf Verbindung       172.29.32.1    271
          172.29.32.1  255.255.255.255   Auf Verbindung       172.29.32.1    271
        172.29.47.255  255.255.255.255   Auf Verbindung       172.29.32.1    271
        192.168.178.0    255.255.255.0   Auf Verbindung   192.168.178.202    291
        192.168.178.0  255.255.255.255      10.81.234.5      10.81.234.6    257
      192.168.178.202  255.255.255.255   Auf Verbindung   192.168.178.202    291
      192.168.178.255  255.255.255.255   Auf Verbindung   192.168.178.202    291
            224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
            224.0.0.0        240.0.0.0   Auf Verbindung   192.168.178.202    291
            224.0.0.0        240.0.0.0   Auf Verbindung       10.81.234.6    257
            224.0.0.0        240.0.0.0   Auf Verbindung       172.29.32.1    271
      255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
      255.255.255.255  255.255.255.255   Auf Verbindung   192.168.178.202    291
      255.255.255.255  255.255.255.255   Auf Verbindung       10.81.234.6    257
      255.255.255.255  255.255.255.255   Auf Verbindung       172.29.32.1    271
    ===========================================================================
    Ständige Routen:
      Keine

    IPv6-Routentabelle
    ===========================================================================
    Aktive Routen:
     If Metrik Netzwerkziel             Gateway
      1    331 ::1/128                  Auf Verbindung
     14    291 fe80::/64                Auf Verbindung
      4    291 fe80::/64                Auf Verbindung
     35    271 fe80::/64                Auf Verbindung
     14    291 fe80::3ca6:c96:df56:a10b/128
                                        Auf Verbindung
      4    291 fe80::58a7:5292:2fdd:219f/128
                                        Auf Verbindung
     35    271 fe80::e5ef:1828:9032:1070/128
                                        Auf Verbindung
      1    331 ff00::/8                 Auf Verbindung
     14    291 ff00::/8                 Auf Verbindung
      4    291 ff00::/8                 Auf Verbindung
     35    271 ff00::/8                 Auf Verbindung
    ===========================================================================
    Ständige Routen:
      Keine

    Looks good to me...

  • FormerMember
    0 FormerMember in reply to Phil_Br
      192.168.178.0  255.255.255.255      10.81.234.5      10.81.234.6    257

    Please check the IP host added under 'Permitted network resources (IPv4)' of the SSL VPN policy.

    It seems configured with /32 subnet.

  • It is - under Hosts and services / IP host it says:

    But that should be correct, as I can only enter a single IP address there? Confusion is complete now.

  • FormerMember
    0 FormerMember in reply to Phil_Br

    In 'Permitted network resources (IPv4)' you need to add a local IP/Network which you're willing to access over the SSL VPN tunnel.

    You can configure IP host with either type(IP, Network, IP range & IP list).

    Request to refer to the below link to know more information on remote access SSL VPN.

    docs.sophos.com/.../VPNCreateRemoteAccessSSLVPN.html



    link
    [edited by: Yash Kothari at 1:46 AM (GMT -7) on 22 Apr 2021]
  • Actually, I did:

    Local subnet is 192.168.178.0, so that should do.

  • But still not working...

  • And the link you provided is not valid anymore, sorry...