Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Can't access external services from SSL VPN

Hello.

Now that everyone is working remotely I've encountered a few issues accessing things outside our network from the SSL VPN.  SFTP (SSH on port 22) is the main one of these.  It connects fine from inside the office but not via the SSL VPN.

When I run a traceroute to something outside our network on the VPN it uses the UTM as the 1st hop then everything else times out, as if it doesn't have a route out.

What am I missing?  I've looked in the firewall logs but there isn't a single entry for the SSL VPN subnet despite me creating firewall rules and enabling logging.  I've also ensured there is a masquerading rule but still no luck.

Any tips appreciated!

  • Hello David,

    why are you routing all traffic through the tunnel? Can't you go to ressources "outside" your network directly?

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp.  Yes, we do that, but in this case we access a 3rd party ftp server and they have whitelisted our office IP for access.  Now we have about 20 people at hometrying to use it with dynamics IPs it's not workable to ask them to keep updating it.  We need to route this SSH traffic through the UTM and out through our whitelisted IP.

    It seems like it should be a fairly simple thing to achieve but I've spent days going around in circles to no avail.

  • Hello David,

    then let's try to get this to work for you:

    you need to add a route at the client to tell the IP packet with destination "special external services" to go through the Sophos SSL-Tunnel.

    Example for a Windows client: route add  83.84.85.86 MASK 255.255.255.255 10.242.2.1

    where: 83.84.85.86 is an example for a server-ip address, the mask is for a single host and 10.242.2.1 is the Sophos-Firewall gateway address if you are using the standard SSL-VPN-Pool.

    Next you need to mask the SSL-VPN-Pool behind your IP-Address of your uplink-interface(s).

    Then this should start to work ...

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I just tried adding the route in Windows and it said it already exists.  If i do a tracert it gets to 10.242.2.1 first and then nothing after that, they just time out.

  • You already have a route to your "outside IP" ??? This is hard to believe. ...

    OK - what else: you need the MASQ rule on the firewall and maybe some more firewall rules (watch the Firewall Live-Log)

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Why is it hard to believe?  Could the route already be there because I added it to the local networks section in the SSL VPN config?

    I've created the masquerading rule for the VPN subnet to use the same IP as our internal LAN.

    I've created a firewall rule to allow SSH from the VPN to anywhere, with logging enabled, but there is still no sign of any logging.  I also created a rule for any traffic outbound from the VPN but there isn't a single entry in the logs for 10.242.2.*

  • Please show us the defintion of your masq rules and the VPN definition plus the objects that you are using there (especialle the networks you defined. I think there is something wrong in there.

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi David,

    Please show a picture of the Edit of the SSL VPN Remote Access Profile.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have figured out what is causing it.  Because there is no way to configure DHCP reservations for the SSL VPN Pool I have created SNAT and DNAT rules for each user to simulate having the same IP each time (this is required for call recording on our soft phones).  When I disable these NAT rules the connection goes outside to the external SFTP server and connects as expected.

    This is the masquerading rule:

    And this is the VPN profile:

    Thanks,

    Dave

  • Dave,

    why do you put "xxx VPN Pool (SSL)" in "local networks"? I never do this and I think this not necessary.

    Did you have a look at the manual?

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.