VPN: no access to internal network

Hi,

I have a problem here that drives me crazy: I want to set up VPN so users can dial in and use our servers behind the XG115. I've set up things according to https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/de-de/webhelp/onlinehelp/nsg/sfos/learningContents/CreatingRemoteAccessSSLVPN.html. Users can dial in and I can see their connection on the firewall console. They can still access internet but they cannot access the servers in the local network, nor can they PING them. When I toggle the "Use as standard gateway" button in  VPN/SSL-VPN, they cannot access the web any more. So the VPN ist working baiscally... anyone any idea please?



Edited TAG
[edited by: emmosophos at 10:00 PM (GMT -7) on 21 Apr 2021]

Top Replies

  • Hi ,

    Thank you for reaching out to Sophos Community.

    Did you create VPN to LAN firewall rule to provide access to internal resources?

    If you turn on 'Use as Default Gateway' in the SSL VPN profile…

Parents Reply Children
  • Try to add a linked NAT rule in VPN to LAN firewall rule with SNAT as default MASQ and check whether internal resources/servers are accessible or not.

    Also, please check the route table on the end machine and confirm that the local network route is listed or not.

    Run 'route print' in the command prompt.

    C:\Windows\system32>route print

    Thanks,
    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • I already set up the NAT rule:

    Route print shows: (192.168.178.1 is the XG115, 10.81.234.5 is the VPN Gate, 10.81.234.6 is the VPN client, 37.24.106.92 is the external IP)

    C:\Windows\System32>route print
    ===========================================================================
    Schnittstellenliste
      4...00 ff 0a 9b d5 f4 ......Sophos SSL VPN Adapter
     21...5e 5e cf c8 91 e7 ......VPN Client Adapter - VPN
     25...c8 5b 76 87 fc 75 ......Intel(R) Ethernet Connection I219-V
     35...00 15 5d 49 47 7e ......Hyper-V Virtual Ethernet Adapter
      5...f0 d5 bf 1c 6a ed ......Microsoft Wi-Fi Direct Virtual Adapter
     24...f2 d5 bf 1c 6a ec ......Microsoft Wi-Fi Direct Virtual Adapter #2
     14...f0 d5 bf 1c 6a ec ......Intel(R) Dual Band Wireless-AC 8260
     17...f0 d5 bf 1c 6a f0 ......Bluetooth Device (Personal Area Network)
      1...........................Software Loopback Interface 1
    ===========================================================================

    IPv4-Routentabelle
    ===========================================================================
    Aktive Routen:
         Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
              0.0.0.0          0.0.0.0    192.168.178.1  192.168.178.202     35
          10.81.234.0    255.255.255.0   Auf Verbindung       10.81.234.6    257
          10.81.234.6  255.255.255.255   Auf Verbindung       10.81.234.6    257
        10.81.234.255  255.255.255.255   Auf Verbindung       10.81.234.6    257
         37.24.106.92  255.255.255.255    192.168.178.1  192.168.178.202    291
          52.5.76.173  255.255.255.255      10.81.234.5      10.81.234.6    257
            127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
            127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
      127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
          172.29.32.0    255.255.240.0   Auf Verbindung       172.29.32.1    271
          172.29.32.1  255.255.255.255   Auf Verbindung       172.29.32.1    271
        172.29.47.255  255.255.255.255   Auf Verbindung       172.29.32.1    271
        192.168.178.0    255.255.255.0   Auf Verbindung   192.168.178.202    291
        192.168.178.0  255.255.255.255      10.81.234.5      10.81.234.6    257
      192.168.178.202  255.255.255.255   Auf Verbindung   192.168.178.202    291
      192.168.178.255  255.255.255.255   Auf Verbindung   192.168.178.202    291
            224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
            224.0.0.0        240.0.0.0   Auf Verbindung   192.168.178.202    291
            224.0.0.0        240.0.0.0   Auf Verbindung       10.81.234.6    257
            224.0.0.0        240.0.0.0   Auf Verbindung       172.29.32.1    271
      255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
      255.255.255.255  255.255.255.255   Auf Verbindung   192.168.178.202    291
      255.255.255.255  255.255.255.255   Auf Verbindung       10.81.234.6    257
      255.255.255.255  255.255.255.255   Auf Verbindung       172.29.32.1    271
    ===========================================================================
    Ständige Routen:
      Keine

    IPv6-Routentabelle
    ===========================================================================
    Aktive Routen:
     If Metrik Netzwerkziel             Gateway
      1    331 ::1/128                  Auf Verbindung
     14    291 fe80::/64                Auf Verbindung
      4    291 fe80::/64                Auf Verbindung
     35    271 fe80::/64                Auf Verbindung
     14    291 fe80::3ca6:c96:df56:a10b/128
                                        Auf Verbindung
      4    291 fe80::58a7:5292:2fdd:219f/128
                                        Auf Verbindung
     35    271 fe80::e5ef:1828:9032:1070/128
                                        Auf Verbindung
      1    331 ff00::/8                 Auf Verbindung
     14    291 ff00::/8                 Auf Verbindung
      4    291 ff00::/8                 Auf Verbindung
     35    271 ff00::/8                 Auf Verbindung
    ===========================================================================
    Ständige Routen:
      Keine

    Looks good to me...

  •   192.168.178.0  255.255.255.255      10.81.234.5      10.81.234.6    257

    Please check the IP host added under 'Permitted network resources (IPv4)' of the SSL VPN policy.

    It seems configured with /32 subnet.

    Thanks,
    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • It is - under Hosts and services / IP host it says:

    But that should be correct, as I can only enter a single IP address there? Confusion is complete now.

  • In 'Permitted network resources (IPv4)' you need to add a local IP/Network which you're willing to access over the SSL VPN tunnel.

    You can configure IP host with either type(IP, Network, IP range & IP list).

    Request to refer to the below link to know more information on remote access SSL VPN.

    docs.sophos.com/.../VPNCreateRemoteAccessSSLVPN.html

    Thanks,
    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.


    link
    [edited by: Yash Kothari at 1:46 AM (GMT -7) on 22 Apr 2021]
  • Actually, I did:

    Local subnet is 192.168.178.0, so that should do.

  • And the link you provided is not valid anymore, sorry...

  • Hello Phil,

    Following on what my co-worker mentioned.

    He is referring in your Firewall rule, you configured the Remote SSL VPN range. 

    But your Remote SSL VPN range has only one entry 

    You should change this to be 10.81.234.5/24 or use IP range instead.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.