Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL remote user VPN - home subnet conflicts with work subnet

I am in the process of switching over a number of sites from cyberoam to sophos xg106 latest firmware.

On cyberoam, if the work network had the same subnet as the remote user's home network, I was able to setup an alias or forwarder or virtual host subnet so the remote home worker could still access resource on the work network.

For example if work subnet is 192.168.1.x and home subnet is 192.168.1.x  then home user can't ping or use remote desktop to access their work pc.

if you try to reach 192.168.1.abc it will only search the home network.

What i've done in the past is setup an translation subnet like 192.168.81.x 

If the user try's rdp to 192.168.81.x the firewall will translate it to 192.168.1.x

how can this be done with the sophos?



This thread was automatically locked due to age.
Parents
  • Hello there,

    Thank you for contacting the Sophos Community.

    It would be better for you to move away from the subnet 192.168.x.x on the business side, that range isn’t recommended to use.

    However in this case, you could configure in the SSL VPN a Fake IP such as 172.16.123.0/24 so this is passed down to the clients when they connect to the SSL VPN.

    Then create a DNAT rule that looks like the following, this is to access only one Server in this case 172.16.15.100, in your case you would put the IP of your server. (e.g 192.168.1.100)

    Then the user will just have to enter on their PC 172.16.123.100 to access the server using 192.168.123.100

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks so much for getting back to me on the original question!   I have 3 questions.  1) you said "configure in the SSL VPN a Fake IP".. do you mean define an IP host then add it to the vpn policy resources access is granted to?  2) in your example the172.16.123.x address is in a totally unique subnet not used by work, vpn, or home networks, right?  3)Could this be used for translating a range of IP's instead of just 1 ip?  Your example showed a dnat rule for 1 ip.  Could it be for a range of ip's and work?

    lastly, I tried something like this with a range instead of an single IP, and I could see the dnat rule "hit" count was going up, so I know it was kinda working, but ping or rpd wouldn't work.  I suspect it was getting part way thru but something was still blocking it. 

Reply
  • Thanks so much for getting back to me on the original question!   I have 3 questions.  1) you said "configure in the SSL VPN a Fake IP".. do you mean define an IP host then add it to the vpn policy resources access is granted to?  2) in your example the172.16.123.x address is in a totally unique subnet not used by work, vpn, or home networks, right?  3)Could this be used for translating a range of IP's instead of just 1 ip?  Your example showed a dnat rule for 1 ip.  Could it be for a range of ip's and work?

    lastly, I tried something like this with a range instead of an single IP, and I could see the dnat rule "hit" count was going up, so I know it was kinda working, but ping or rpd wouldn't work.  I suspect it was getting part way thru but something was still blocking it. 

Children
No Data