Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Hello.
Now that everyone is working remotely I've encountered a few issues accessing things outside our network from the SSL VPN. SFTP (SSH on port 22) is the main one of these. It connects fine from inside the office but not via the SSL VPN.
When I run a traceroute to something outside our network on the VPN it uses the UTM as the 1st hop then everything else times out, as if it doesn't have a route out.
What am I missing? I've looked in the firewall logs but there isn't a single entry for the SSL VPN subnet despite me creating firewall rules and enabling logging. I've also ensured there is a masquerading rule but still no luck.
Any tips appreciated!
Hello David,
why are you routing all traffic through the tunnel? Can't you go to ressources "outside" your network directly?
Mit freundlichem Gruß, Regards from Germany,
Philipp Rusch
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Hi Philipp. Yes, we do that, but in this case we access a 3rd party ftp server and they have whitelisted our office IP for access. Now we have about 20 people at hometrying to use it with dynamics IPs it's not workable to ask them to keep updating it. We need to route this SSH traffic through the UTM and out through our whitelisted IP.
It seems like it should be a fairly simple thing to achieve but I've spent days going around in circles to no avail.
then let's try to get this to work for you:
you need to add a route at the client to tell the IP packet with destination "special external services" to go through the Sophos SSL-Tunnel.
Example for a Windows client: route add 83.84.85.86 MASK 255.255.255.255 10.242.2.1
where: 83.84.85.86 is an example for a server-ip address, the mask is for a single host and 10.242.2.1 is the Sophos-Firewall gateway address if you are using the standard SSL-VPN-Pool.
Next you need to mask the SSL-VPN-Pool behind your IP-Address of your uplink-interface(s).
Then this should start to work ...
I just tried adding the route in Windows and it said it already exists. If i do a tracert it gets to 10.242.2.1 first and then nothing after that, they just time out.
You already have a route to your "outside IP" ??? This is hard to believe. ...
OK - what else: you need the MASQ rule on the firewall and maybe some more firewall rules (watch the Firewall Live-Log)
Why is it hard to believe? Could the route already be there because I added it to the local networks section in the SSL VPN config?
I've created the masquerading rule for the VPN subnet to use the same IP as our internal LAN.
I've created a firewall rule to allow SSH from the VPN to anywhere, with logging enabled, but there is still no sign of any logging. I also created a rule for any traffic outbound from the VPN but there isn't a single entry in the logs for 10.242.2.*
Please show us the defintion of your masq rules and the VPN definition plus the objects that you are using there (especialle the networks you defined. I think there is something wrong in there.
Hi David,
Please show a picture of the Edit of the SSL VPN Remote Access Profile.
Cheers - Bob
I have figured out what is causing it. Because there is no way to configure DHCP reservations for the SSL VPN Pool I have created SNAT and DNAT rules for each user to simulate having the same IP each time (this is required for call recording on our soft phones). When I disable these NAT rules the connection goes outside to the external SFTP server and connects as expected.
This is the masquerading rule:
And this is the VPN profile:
Thanks,
Dave
Dave,
why do you put "xxx VPN Pool (SSL)" in "local networks"? I never do this and I think this not necessary.
Did you have a look at the manual?