Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: SSL VPN access for overlapping Home networks

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


In this Recommended Read we’ll go over a workaround to configure SSL VPN access for overlapping networks.

Despite not being recommended at all to use the two following networks on an Enterprise Network 192.168.0.0/24 192.168.1.0/24, 99% of home routers/modems set their Network to these two subnets, it’s possible to work around this scenario.

In this scenario, the Sophos Firewall has an interface with the subnet 192.168.1.0/24, and the home user network is the same.

If no changes are made, when the user connects to the SSL VPN and tries to Ping 192.168.1.150, the computer will send the traffic to the local modem and not via the intended SSL VPN.

Ideally, you would move away from this Network or ask the user to reconfigure their home router/modem to a different subnet. If that’s not possible, we can create a DNAT rule to NAT the traffic coming from the Home User network as a different Subnet.

For our scenario, the user is trying to access a Server with IP 192.168.1.150

1.- Navigate to Configure >> VPN >> SSL VPN (remote access) >> Tunnel Access >> Permitted Networks resources (IPv4). We would provide a Fake subnet to pass down to the SSL VPN Client, for example, 172.16.254.0/24 (This IP must not be in use at all in the Firewall (e.g. any interface, IPsec, L2TP, etc.)

2.- Navigate to Configure >> VPN >> Show VPN settings >> SSL VPN and make a note of the IPv4 lease range: 

3.- Navigate to  NAT rules >> New Nat Rule

The NAT rule should look like the following:

  • Original Source = SSL VPN IPv4 lease range
  • Original Destination = 172.16.254.0/24 (The Network you’re passing down to the SSL VPN client)
  • Translated Destination = 192.168.1.150 (IP of the Server behind the Sophos Firewall)

4.- For the user to access the Server with IP 192.168.1.150, they need to enter the IP 172.16.254.100, and the XG will map the host IP to the actual Network Host IP. 




Grammar
[edited by: Raphael Alganes at 3:13 PM (GMT -8) on 19 Nov 2024]