SSL remote user VPN - home subnet conflicts with work subnet

Question

I am in the process of switching over a number of sites from cyberoam to sophos xg106 latest firmware. 
 On cyberoam, if the work network had the same subnet as the remote user's home network, I was able to setup an alias or forwarder or virtual host subnet so the remote home worker could still access resource on the work network. 
 For example if work subnet is 192.168.1.x and home subnet is 192.168.1.x then home user can't ping or use remote desktop to access their work pc. 
 if you try to reach 192.168.1.abc it will only search the home network. 
 What i've done in the past is setup an translation subnet like 192.168.81.x 
 If the user try's rdp to 192.168.81.x the firewall will translate it to 192.168.1.x 
 how can this be done with the sophos?

emmosophos · Accepted Answer

Hello there, 
 Thank you for contacting the Sophos Community. 
 It would be better for you to move away from the subnet 192.168.x.x on the business side, that range isn&rsquo;t recommended to use. 
 However in this case, you could configure in the SSL VPN a Fake IP such as 172.16.123.0/24 so this is passed down to the clients when they connect to the SSL VPN. 
 Then create a DNAT rule that looks like the following, this is to access only one Server in this case 172.16.15.100, in your case you would put the IP of your server. (e.g 192.168.1.100) 
 
 Then the user will just have to enter on their PC 172.16.123.100 to access the server using 192.168.123.100 
 Regards,

joefirewall · Answer

Hey!!! it worked!!! 
 so just to clarify work subnet 192.168.1.0, home subnet 192.168.1.0 (conflict), vpn subnet 10.10.81.0, translation subnet 192.168.81.0. 
 Here are my settings 
 hosts: 
 
 Then vpn policy: 
 
 (it might be important to change default gateway to on (otherwise you have to manually add a route on the home pc?)? cuz it wouldn't know where to send 192.168.81.x ?? 
 firewall rule:

Then most importantly the dnat rule:

if I ping 192.168.81.72 it goes over vpn, translates it to 192.168.1.72 and then responds back perfectly! 
 ALSO SUPER IMPORTANT!! THERE IS A BUG IN VERSION 18 THAT WHEN YOU CHANGE VPN POLICY IT WILL NOT REALLY TAKE AFFECT. YOU HAVE TO: " 
 Bug : https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.0 
 Bug : https://support.sophos.com/support/s/article/KB-000041768?language=en_US 
 Changing vpn policy settings does not take effect. Workaround until fix, change timeout, save, reboot firewall." 
 Then of course, login to the user portal and get download the new vpn configuration file! 
 So I am 99% totally satisfied with this rule!! Thanks SOOO much. 
 just 2 more little questions: 
 1. I tried the dnat rule with translating a RANGE of ip's and it did not work. Did I do something wrong? Is there way to translate an entire range like 192.168.81.1-254 to 192.168.1.1-254? This would save a lot of manual entries for each host ip. 
 2. do you think i need to have "use as default gateway" in the vpn policy turned on? I did not see a route added for 192.168.81.x in the vpn connection log. I didn't yet test it with the gateway off, but I would think it might not work? Is there a way to cause a route to be pushed, if needed? or can I just manually add a phrase to the .ovpn configuration file to add the route? last resort is I could make a client .bat file to run a dos command prompt of route add. thoughts?

joefirewall · Answer

UPDATE, 
 on the final 2 questions here are the details: 
 1. Yes, you can use a range. it works. here is what I have:

(make sure you follow all my other screenshots and instructions above in the prior post. Also make sure your ping/test target machine doesn't have any firewall on.. many will block traffic from strange IP's.) 
 2. As to the gateway question. It seems like it will work either way with or without vpn gateway taking all traffic as default. I turned off default gateway setting in vpn policy, change timeout slightly, rebooted the firewall, redownloaded the client config, reconnected, and checked the connection logs and found this line proving that it does push the route: 
 "Sat Jun 05 18:45:48 2021 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.81.5,sndbuf 0,rcvbuf 0,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.0 255.255.255.0,route 192.168.81.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 3480 29696,dhcp-option DNS 75.75.75.75,ifconfig 10.10.81.6 255.255.255.0'" 
 
 I am going to give Emmanuel (EmmoSophos) FULL credit. I called sophos tech support 3 times and was told it is not possible. Emmanuel (EmmoSophos) deserves a raise! He gave the correct answer. I just validated it works with a range of IP's. This should be turned into a knowledge base document! It is not always a possible to re-subnet a network for a client. They don't budget for that when you get a new firewall. And re-subneting a remote users home or hotel network is not always possible. This is a critical piece of information for some of us.

joefirewall · Answer

I think Emmanual is saying you would ping 172.16.15.xzy and the dnat rule would transfer/translate it to 192.168.20.xyz on the work network. in theory..

SSL remote user VPN - home subnet conflicts with work subnet

Top Replies