Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL remote user VPN - home subnet conflicts with work subnet

I am in the process of switching over a number of sites from cyberoam to sophos xg106 latest firmware.

On cyberoam, if the work network had the same subnet as the remote user's home network, I was able to setup an alias or forwarder or virtual host subnet so the remote home worker could still access resource on the work network.

For example if work subnet is 192.168.1.x and home subnet is 192.168.1.x  then home user can't ping or use remote desktop to access their work pc.

if you try to reach 192.168.1.abc it will only search the home network.

What i've done in the past is setup an translation subnet like 192.168.81.x 

If the user try's rdp to 192.168.81.x the firewall will translate it to 192.168.1.x

how can this be done with the sophos?



This thread was automatically locked due to age.
Parents
  • Hello there,

    Thank you for contacting the Sophos Community.

    It would be better for you to move away from the subnet 192.168.x.x on the business side, that range isn’t recommended to use.

    However in this case, you could configure in the SSL VPN a Fake IP such as 172.16.123.0/24 so this is passed down to the clients when they connect to the SSL VPN.

    Then create a DNAT rule that looks like the following, this is to access only one Server in this case 172.16.15.100, in your case you would put the IP of your server. (e.g 192.168.1.100)

    Then the user will just have to enter on their PC 172.16.123.100 to access the server using 192.168.123.100

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello there,

    Thank you for contacting the Sophos Community.

    It would be better for you to move away from the subnet 192.168.x.x on the business side, that range isn’t recommended to use.

    However in this case, you could configure in the SSL VPN a Fake IP such as 172.16.123.0/24 so this is passed down to the clients when they connect to the SSL VPN.

    Then create a DNAT rule that looks like the following, this is to access only one Server in this case 172.16.15.100, in your case you would put the IP of your server. (e.g 192.168.1.100)

    Then the user will just have to enter on their PC 172.16.123.100 to access the server using 192.168.123.100

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • The home network PC already creates a route to its local firewall (home router) in the 192.168.0.x range to connect to the internet. Then the SSL adapter created another route from 172.16.x.x to the XG gateway. Since a route already exists to 192.168.0.x it will not ping or connect to the pc in the office network. I have tried to do this and wasn't able to. So i have advised the home users to change their range to 192.168.20.x or in the 10.xx range. Its kind of frustrating but would welcome any suggestions that would be an easy fix on the XG side. 

  • I think Emmanual is saying you would ping 172.16.15.xzy and the dnat rule would transfer/translate it to 192.168.20.xyz on the work network. in theory..

  • Thanks so much for getting back to me on the original question!   I have 3 questions.  1) you said "configure in the SSL VPN a Fake IP".. do you mean define an IP host then add it to the vpn policy resources access is granted to?  2) in your example the172.16.123.x address is in a totally unique subnet not used by work, vpn, or home networks, right?  3)Could this be used for translating a range of IP's instead of just 1 ip?  Your example showed a dnat rule for 1 ip.  Could it be for a range of ip's and work?

    lastly, I tried something like this with a range instead of an single IP, and I could see the dnat rule "hit" count was going up, so I know it was kinda working, but ping or rpd wouldn't work.  I suspect it was getting part way thru but something was still blocking it. 

  • Hey!!! it worked!!!  

    so just to clarify  work subnet 192.168.1.0, home subnet 192.168.1.0 (conflict), vpn subnet 10.10.81.0, translation subnet 192.168.81.0.

    Here are my settings

    hosts:

    Then vpn policy:

    (it might be important to change default gateway to on (otherwise you have to manually add a route on the home pc?)? cuz it wouldn't know where to send 192.168.81.x ??

    firewall rule:

    Then most importantly the dnat rule:

    if I ping 192.168.81.72 it goes over vpn, translates it to 192.168.1.72 and then responds back perfectly! 

    ALSO SUPER IMPORTANT!! THERE IS A BUG IN VERSION 18 THAT WHEN YOU CHANGE VPN POLICY IT WILL NOT REALLY TAKE AFFECT.  YOU HAVE TO: "

                       Bug : https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.0

                       Bug : https://support.sophos.com/support/s/article/KB-000041768?language=en_US

                       Changing vpn policy settings does not take effect.  Workaround until fix, change timeout, save, reboot firewall."

                        Then of course, login to the user portal and get download the new vpn configuration file!

    So I am 99% totally satisfied with this rule!!  Thanks SOOO much.

         just 2 more little questions:

            1.  I tried the dnat rule with translating a RANGE of ip's and it did not work. Did I do something wrong? Is there way to translate an entire range like 192.168.81.1-254   to 192.168.1.1-254?   This would save a lot of manual entries for each host ip.

            2. do you think i need to have "use as default gateway" in the vpn policy turned on?  I did not see a route added for 192.168.81.x in the vpn connection log.  I didn't yet test it with the gateway off, but I would think it might not work?  Is there a way to cause a route to be pushed, if needed? or can I just manually add a phrase to the .ovpn configuration file to add the route?  last resort is I could make a client .bat file to run a dos command prompt of route add.  thoughts?

  • UPDATE,

    on the final 2 questions here are the details:

    1. Yes, you can use a range. it works. here is what I have:

    (make sure you follow all my other screenshots and instructions above in the prior post.  Also make sure your ping/test target machine doesn't have any firewall on.. many will block traffic from strange IP's.)

    2. As to the gateway question.  It seems like it will work either way with or without vpn gateway taking all traffic as default.  I turned off default gateway setting in vpn policy, change timeout slightly, rebooted the firewall, redownloaded the client config, reconnected, and checked the connection logs and found this line proving that it does push the route:

    "Sat Jun 05 18:45:48 2021 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.81.5,sndbuf 0,rcvbuf 0,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.0 255.255.255.0,route 192.168.81.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 3480 29696,dhcp-option DNS 75.75.75.75,ifconfig 10.10.81.6 255.255.255.0'"

    I am going to give Emmanuel (EmmoSophos) FULL credit.  I called sophos tech support 3 times and was told it is not possible.  Emmanuel (EmmoSophos)deserves a raise!   He gave the correct answer.  I just validated it works with a range of IP's.   This should be turned into a knowledge base document!  It is not always a possible to re-subnet a network for a client.  They don't budget for that when you get a new firewall.  And re-subneting a remote users home or hotel network is not always possible.  This is a critical piece of information for some of us.

  • Hello Joe,

    Thank you for the feedback :)and for taking the time to update the community.

    I will take on your suggestion about the Recommended Read.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.