Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL remote user VPN - home subnet conflicts with work subnet

I am in the process of switching over a number of sites from cyberoam to sophos xg106 latest firmware.

On cyberoam, if the work network had the same subnet as the remote user's home network, I was able to setup an alias or forwarder or virtual host subnet so the remote home worker could still access resource on the work network.

For example if work subnet is 192.168.1.x and home subnet is 192.168.1.x  then home user can't ping or use remote desktop to access their work pc.

if you try to reach 192.168.1.abc it will only search the home network.

What i've done in the past is setup an translation subnet like 192.168.81.x 

If the user try's rdp to 192.168.81.x the firewall will translate it to 192.168.1.x

how can this be done with the sophos?



This thread was automatically locked due to age.
  • UPDATE,

    on the final 2 questions here are the details:

    1. Yes, you can use a range. it works. here is what I have:

    (make sure you follow all my other screenshots and instructions above in the prior post.  Also make sure your ping/test target machine doesn't have any firewall on.. many will block traffic from strange IP's.)

    2. As to the gateway question.  It seems like it will work either way with or without vpn gateway taking all traffic as default.  I turned off default gateway setting in vpn policy, change timeout slightly, rebooted the firewall, redownloaded the client config, reconnected, and checked the connection logs and found this line proving that it does push the route:

    "Sat Jun 05 18:45:48 2021 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.81.5,sndbuf 0,rcvbuf 0,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.0 255.255.255.0,route 192.168.81.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 3480 29696,dhcp-option DNS 75.75.75.75,ifconfig 10.10.81.6 255.255.255.0'"

    I am going to give Emmanuel (EmmoSophos) FULL credit.  I called sophos tech support 3 times and was told it is not possible.  Emmanuel (EmmoSophos)deserves a raise!   He gave the correct answer.  I just validated it works with a range of IP's.   This should be turned into a knowledge base document!  It is not always a possible to re-subnet a network for a client.  They don't budget for that when you get a new firewall.  And re-subneting a remote users home or hotel network is not always possible.  This is a critical piece of information for some of us.

  • Hello Joe,

    Thank you for the feedback :)and for taking the time to update the community.

    I will take on your suggestion about the Recommended Read.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.