Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 4277 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL remote user VPN - home subnet conflicts with work subnet

joefirewall

I am in the process of switching over a number of sites from cyberoam to sophos xg106 latest firmware.

On cyberoam, if the work network had the same subnet as the remote user's home network, I was able to setup an alias or forwarder or virtual host subnet so the remote home worker could still access resource on the work network.

For example if work subnet is 192.168.1.x and home subnet is 192.168.1.x  then home user can't ping or use remote desktop to access their work pc.

if you try to reach 192.168.1.abc it will only search the home network.

What i've done in the past is setup an translation subnet like 192.168.81.x 

If the user try's rdp to 192.168.81.x the firewall will translate it to 192.168.1.x

how can this be done with the sophos?



This thread was automatically locked due to age.
  • 0

    here is a picture of the problem scenario:

  • 0

    here is how i fixed it in the past with cyberoam:

    1. Setup subnet forwarding if lan subnet is a very common ip, to avoid conflict with home ip subnets
      1. If the business lan subnet is very common like 192.168.1.x or 10.0.0.x, then frequently those accessing from remote location may be on a subnet with the exact same numbering.  If this happens, the remote computer will not know how to forward the traffic and will usually send it to the remote user’s local subnet instead  of the office LAN subnet.
      2. To work around this we setup a virtualhost/forwarder to forward a unique range of IP’s to the LAN IP’s
    • When for Eg : lan= 192.168.1.x     vpn=10.10.81.x     fwd/alias=192.168.81.x   
    1. Firewall>virtual host>add
    2. Name something like: VPN.81to.1subnetFwd
    3. Type a description like: “this allows vpn users with same remote subnet as the office subnet to use 192.168.81.x as an alternate reference IP to reach 192.168.1.x”
    • Click external IP  (here external doesn’t mean external it means, “to IP/unmapped”)
      1. Click IP range, add ip range (you could also alt. create this in objects, hosts)
      2. Type a name like : 192.168.81.1-254_range
      3. Select: ip range
      4. Enter a start ip like 192.168.81.1, and an end like: 192.168.81.254
      5. Click ok
    • Click mapped IP  (this is the forwarded to ip range – the office lan)
      1. Click IP range, add ip range (you could also alt. create this in objects, hosts)
      2. Type a name like : 192.168.1.1-254_range
      3. Select: ip range
      4. Enter a start ip like 192.168.1.1, and an end like: 192.168.1.254
      5. Click ok
    1. If the ranges match, .1.x forwards to .81.x, and .1.y forwards to .81.y, etc
    2. Leave destination physical zone as LAN
    3. Leave the “enable port forwarding” unchecked – !! This forwards ALL PORTS
    • Click ok
    • You will be prompted to create a firewall rule
      1. Click “add firewall rule for virtual host”
      2. !!very important!! – change Source Zone to VPN
      3. Notice all services are already selected as allowed
      4. Do not do a reflexive rule or to choose any nat  (at this time)
      5. Click add rules
      6. You can verify they were created by going to firewall>rule
      7. You will see a vpn to lan rule
      8. You will also see a loopback rule automatically created that allows the rule to be run from lan to lan
  • 0

    1. maybe some sort of 1 to 1 nat with mapping?  But how do I set this up on an xg106 latest firmware and ssl vpn remote users?

    https://support.sophos.com/support/s/article/KB-000034290?language=en_US

    2. long ago i could even do so with older firewalls

    3. or even with an entire interface alias

  • 0

    https://support.sophos.com/support/s/article/KB-000035848?language=en_US

    maybe something like this, but not 2 sites and not ipsec.

    Can some nat translation be done with simple firewall and nat rules on the xg106?

    maybe something like this?  but what firewall rule / vpn local resource to allow would be needed?

  • 0

    I noticed something called "Add Alias" under network interfaces.  Would that be the ticket?

  • +1

    Hello there,

    Thank you for contacting the Sophos Community.

    It would be better for you to move away from the subnet 192.168.x.x on the business side, that range isn’t recommended to use.

    However in this case, you could configure in the SSL VPN a Fake IP such as 172.16.123.0/24 so this is passed down to the clients when they connect to the SSL VPN.

    Then create a DNAT rule that looks like the following, this is to access only one Server in this case 172.16.15.100, in your case you would put the IP of your server. (e.g 192.168.1.100)

    Then the user will just have to enter on their PC 172.16.123.100 to access the server using 192.168.123.100

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    The home network PC already creates a route to its local firewall (home router) in the 192.168.0.x range to connect to the internet. Then the SSL adapter created another route from 172.16.x.x to the XG gateway. Since a route already exists to 192.168.0.x it will not ping or connect to the pc in the office network. I have tried to do this and wasn't able to. So i have advised the home users to change their range to 192.168.20.x or in the 10.xx range. Its kind of frustrating but would welcome any suggestions that would be an easy fix on the XG side. 

  • 0 in reply to itguy318

    I think Emmanual is saying you would ping 172.16.15.xzy and the dnat rule would transfer/translate it to 192.168.20.xyz on the work network. in theory..

  • 0 in reply to emmosophos

    Thanks so much for getting back to me on the original question!   I have 3 questions.  1) you said "configure in the SSL VPN a Fake IP".. do you mean define an IP host then add it to the vpn policy resources access is granted to?  2) in your example the172.16.123.x address is in a totally unique subnet not used by work, vpn, or home networks, right?  3)Could this be used for translating a range of IP's instead of just 1 ip?  Your example showed a dnat rule for 1 ip.  Could it be for a range of ip's and work?

    lastly, I tried something like this with a range instead of an single IP, and I could see the dnat rule "hit" count was going up, so I know it was kinda working, but ping or rpd wouldn't work.  I suspect it was getting part way thru but something was still blocking it. 

  • +1 in reply to emmosophos

    Hey!!! it worked!!!  

    so just to clarify  work subnet 192.168.1.0, home subnet 192.168.1.0 (conflict), vpn subnet 10.10.81.0, translation subnet 192.168.81.0.

    Here are my settings

    hosts:

    Then vpn policy:

    (it might be important to change default gateway to on (otherwise you have to manually add a route on the home pc?)? cuz it wouldn't know where to send 192.168.81.x ??

    firewall rule:

    Then most importantly the dnat rule:

    if I ping 192.168.81.72 it goes over vpn, translates it to 192.168.1.72 and then responds back perfectly! 

    ALSO SUPER IMPORTANT!! THERE IS A BUG IN VERSION 18 THAT WHEN YOU CHANGE VPN POLICY IT WILL NOT REALLY TAKE AFFECT.  YOU HAVE TO: "

                       Bug : https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.0

                       Bug : https://support.sophos.com/support/s/article/KB-000041768?language=en_US

                       Changing vpn policy settings does not take effect.  Workaround until fix, change timeout, save, reboot firewall."

                        Then of course, login to the user portal and get download the new vpn configuration file!

    So I am 99% totally satisfied with this rule!!  Thanks SOOO much.

         just 2 more little questions:

            1.  I tried the dnat rule with translating a RANGE of ip's and it did not work. Did I do something wrong? Is there way to translate an entire range like 192.168.81.1-254   to 192.168.1.1-254?   This would save a lot of manual entries for each host ip.

            2. do you think i need to have "use as default gateway" in the vpn policy turned on?  I did not see a route added for 192.168.81.x in the vpn connection log.  I didn't yet test it with the gateway off, but I would think it might not work?  Is there a way to cause a route to be pushed, if needed? or can I just manually add a phrase to the .ovpn configuration file to add the route?  last resort is I could make a client .bat file to run a dos command prompt of route add.  thoughts?

Unfiltered HTML