Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 2615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN access to WAN and specific internal Server/Port

Andreas_K

Hello community,

I'm stumbling over the following problem:

IPSec VPN ist configured to be used as standard-gateway when clients are connected with Sophos Connect Client.
Firewall-rule is created with target zones LAN and WAN and works fine.

Now there is a user who should only have access to a single server in LAN via a special port.

If I add the server to the accepted destination networks, the WAN access is not possible anymore.

What is best practice to realize connection through VPN to a specific internal server at specific port AND WAN?



This thread was automatically locked due to age.
  • 0

    you should create the matching firewall-rules.

    Zone:VPN/ANY -> Zone:LAN/Server1:port

    Zone:VPN/ANY -> Zone:WAN/ANY

    you may show us your VPN-& rule definitions.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk,

    thank you for your reply!

    I tried your suggestion but the client has no access to WAN through the VPN..

    The client is the only member of "Test-Group". Access to the Linux-Server under specific port works, but the client gets no access to WAN, so internet connection does not work for him.

  • 0 in reply to Andreas_K

    I have another VPN rule, that allows access to LAN and WAN for another Group. This Rule is on position #8 and works fine.

    The VPN to WAN rule on position #1 does not work at all... regardless of whether the rule is applied to users/groups or not.
    Any ideas?

  • 0 in reply to Andreas_K

    looks ok, something in the firewall log?

    What does the firewall log look like? (Filter on the user's VPN IP)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Likely the Default Gateway does not work. The client is likely not sending the traffic to the firewall. Check the packet capture and ping 8.8.8.8 from the client. Do you see the ICMP Packets? If not, the client is not having a config to send it through the VPN.

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    After some testing I now solved the problem:
    The first rule needs an exclusion for Destination Zone: LAN, otherwise the second rule wont be used.
    The second rule needs an exclusion for Destination Zones: Lan, Destination Networks "DNS-Server" and Services: DNS.
    This is needed because the VPN-Policy gives an internal DNS-Server to the Client.
    A third rule has to be created to allow VPN, Any to Destination Zones: Lan, Destination Networks "DNS-Server" and Services: DNS.

    With this three rules everything works as wanted. If connected any traffic is send through the tunnel, the client uses an internal DNS-Server and the client can only connect to a specific internal server under a specific port. Everything else in internal network, except dns, is blocked.

Unfiltered HTML