Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 14687 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ VPN Routing Across Subnets

nicholasbooth

Hi

Am a beginner at firewalls, but so far have built a test domain on a 159 subnet, and a DMZ on 10. subnet, I am using Windows 2012 Server on the DMZ for the VPN as am playing with Windows Phone which is the biggest pain component I have to deal with. I have got the server working VPN remotely (Sophos XG is really quite good) from outside my network and allocates an IP address to my windows phone.
My question is, the VPN in theory I think should allocate an IP address different to that of the VPN server for security, and also different to that of the LAN... and thats where my head gets fuzzy as to how I would route the traffic from the DMZ if it is different to that of the VPN server and also out of subnet for the Sophos Gateways IP.

Any help would be good if you can help at all (please remember I don't have huge amounts of knowledge in this area but like to try these things as it helps when you encounter them or similar in the real world

Thanks in advance


Nick



This thread was automatically locked due to age.
Parents
  • 0

    Nick,

    you should build a 3 legged Firewall architecture like this one: http://i.stack.imgur.com/aFNLH.jpg

    The XG should have 3 cards and each one belogging to each zone. Next you have to assign different subnet to each zone. So 192.168.159/0 is the LAN and 192.168.10.0/24 for DMZ.

    If you want to access the Windows Server 2012 resources, you can setup a VPN inside the XG and make sure that clients can access only the Windows server 2012 in DMZ.

    Otherwise you can open ports from WAN to DMZ and your mobile can access the DMZ server directly.

    VPN users will get different IP range and the XG will translate the IPs automatically.

    Of course to build this configuration, you have to configure rules that allow traffic, otherwise all traffic is denied by default.

  • 0 in reply to lferrara

    I have that built pretty much as is, but with my own IP's, I am using completely different subnets so 159.170.x.x is the LAN, 10.1.x.x is the DMZ and the WAN is not needed here I think.. I have configured and connect tot he VPN and obtain an IP, in this case a 172.16.X.X address. I have configured a rule running from the DMZ to the LAN allowing the required traffic from the VPN IP addresses.

    I have added the VPN servers address to the rule for testing and from the VPN server on 10.1.x.x it can access the the resource (in this case a web page) , but from VPN on 172.16 it cannot. I created an IP host for the VPN issued IP address and in the rule allow the traffic through to the LAN to just the server I want it to go to. I have monitored using the diag tools for blocked traffic and cannot see any. 

    Could this be the route back to the VPN IP address. If I trace route from the LAN based server, I see that it goes to the LAN gateway address  but the next stop is the WAN so could this be the route back and Sophos routing to the wrong place?

Reply
  • 0 in reply to lferrara

    I have that built pretty much as is, but with my own IP's, I am using completely different subnets so 159.170.x.x is the LAN, 10.1.x.x is the DMZ and the WAN is not needed here I think.. I have configured and connect tot he VPN and obtain an IP, in this case a 172.16.X.X address. I have configured a rule running from the DMZ to the LAN allowing the required traffic from the VPN IP addresses.

    I have added the VPN servers address to the rule for testing and from the VPN server on 10.1.x.x it can access the the resource (in this case a web page) , but from VPN on 172.16 it cannot. I created an IP host for the VPN issued IP address and in the rule allow the traffic through to the LAN to just the server I want it to go to. I have monitored using the diag tools for blocked traffic and cannot see any. 

    Could this be the route back to the VPN IP address. If I trace route from the LAN based server, I see that it goes to the LAN gateway address  but the next stop is the WAN so could this be the route back and Sophos routing to the wrong place?

Children
  • 0 in reply to nicholasbooth

    Nicholas,

    can you post your Policy Rules? VPN and DMZ. Thanks

  • 0 in reply to lferrara

    VPN in Using Business Application Rule Non Http

    Source host Any

    Hosted Zone WAN

    Hosted Address: VIP alias created for the sole use of VPN in

    Protected Zone DMZ

    Protected Application Server: Windows 2012 server IP host 10.1.X>X address

    specified ports listed 1701,500, 4500

    Routing across network via User / Network Rule not using identity as I base this on Machine IP not users

    Source Zone DMZ

    Networks: ip address of VPN clients 172.16.X.X address

    Services HTTP, HTTPS, and RDP, 

    Destination: LAN

    Networks: Web Server IP host 159.170.X.X address

    Changing the IP address that VPN issues out to the same subnet as the VPNserver 10.1.X.X and it all works fine(obviously adding it as IP host) but change it back to 172.16.X.X and application stops workings.

    Proves that this is routing somewhere.. just not sure where. (also on a side note I have noticed at times that if you edit a rule a few times it can stop working altogether, Have to reboot the XG host or delete the rule and recreate and works again, not sure if this is a bug to be looked at also)

Unfiltered HTML