We have set up an SSL VPN on our XGS Firewall.We want to route all the traffic trough the tunnel and make any network available in the tunnel (we have specific firewall rules set up to handle wo should access what).
The Problem we have now, is that when we set the SSL VPN with "Use as default gateway", it does not work if we do not set an permitted ressource as well. Not work = Can not connect to any ressource except the internet, even tho whe have all the required firewall rules set upThis would require us to list any network ressources we have there, which will change regulary and is quite a long list.
Is there a way, where can allow "any" as a permitted ressource? Sophos XGS does not allow me to create a 0.0.0.0/0.0.0.0 network object.
if you turned on "Use as default gateway" you can leave the "Permitted network resources (IPv4)" empty.
Hello Mario_ap,Thank you for reaching out to the community, with the use of "Use as default gateway." - All the WAN Traffic for the SSL VPN users will be routed via Sophos FW and hence you'll require a rule VPN to WAN. And for the "Permitted network resources." - All the local resources of the Sophos FW for which you'll need a rule VPN to LAN traffic. So you can leave the section empty - that way it will have a higher priority: But in order to access the local resources - You'll have to mention the complete network if you want everything on that network to be accessible.
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security EvolvedSophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Hi VivekWe tried this as someone recommended it to us that it should work. Unfortunately, it doesnt work for us.
We have the rules set up like this, while "Office_SERVER" equals 192.168.10.0/24:If i leave permitted ressources empty, i am not able to connect to that network. (This network is on a phsyical port at the firewall)Same applies to other resources. Some resources are behind a Site-to-Site VPN.
Have you enabled PING and DNS for the VPN Zone (Management - Appliance Control)?
Try creating a plain FW rule as follows:And when creating a LINKED NAT make the following change both the rules:
yes, these are enabled currently
I've adjusted our rule to specifically have "LAN" as the zone = same result. As soon as i add the network object to permitted resources, everything works as specified in the rule.We do not want/need to masq the ip's of the clients for internal networks. (we have a NAT rule any to wan = masq)
I understand | but for the sake of the testing purpose - can you create a linked NAT - MASQ and confirm the results ?
Sure i can:Result:
Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_USCan you confirm the ping traffic, whether traffic is travelling in IPsec0 interface: Query example: host <ip add> and icmp