This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about VPN and routing

Hello,

we have in the company a 2nd router (vpn-router) which will only accept connections from our clients network (call it 192.168.1.0/24). I cannot manage that router, it’s preconfigured. Sophos FW manages that network.

If I remote via SSL, I get as usual the vpn pool IP.

In that case, I cannot access the router.

Is there a way that I can have an internal client IP when remoting in? Maybe 1:1 NAT or so?



This thread was automatically locked due to age.
Parents
  • Just to be sure: You want to connect via Sophos SSL-VPN to your internal network and then use the other router to VPN to another site without using a client or terminalserver in your network as a ‚hop‘? Let‘s say you want to be able to open 192.168.123.45 in your browser of the dialed in device when 192.168.123.0 is a network behind that VPN router?

    To achieve this you will first have to put the networks behind the VPN router in your ‚internal networks‘ in the remote access config. Other solution would be setting your local networks to ‚Any‘. Then you will have to create a SNAT rule from your  SSL-VPN pool connecting to the networks behind the VPN router with changing the source to your UTMs LAN address. For every network behind the router a new SNAT rule.

    That theoretically should work, but is maybe a bit messy to configure.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Yes, that is correct.

    SNAT is actually EXACTLY what I was looking for! I already did have networks added in SSL-VPN settings, and was getting the website, but it did not load completely. After adding SNAT, it's working correctly.

    Nothing messy about the configuration :)

    Thank you!!!

  • Maybe post some pics of your config so the next person with the issue will have a clearer understanding?

  • I don't have anything graphical available that I can share, sorry.

    I also think that it was explained fairly well by Kevin.

  • I'm having a hard time visualizing this "To achieve this you will first have to put the networks behind the VPN router in your ‚internal networks‘ in the remote access config." .  Maybe a screen shot will make it clearer.  That's what I meant by a pic.

  • In the SSL-VPN configuration you define, which are your internal networks. What happens in the background on the client is a split tunneling. All traffic not specified in the SSL-VPN config will go to the clients default gateway and not into the tunnel.

    If you select "Any" as your "Local Networks" then (nearly) all traffic is routed through the VPN tunnel. If you want to keep the "split tunnel config" you will have to set all networks that a SSL-VPN client should be able to reach in the "Local Networks" section.

    In this example "SRF-LAN" is a customer's network that is not physically connected to our UTM (it is connected via a Cisco ASA).
    The IPSEC VPN-tunnel to the customer only has the internal network defined in the phase 2, so connections from my SSL-VPN pool will not enter that tunnel. (we have a static IPv4 gateway route on our UTM for SRF-LAN pointing to the Cisco ASA).

    To be able to reach the network through my SSL-VPN connection I have to create a SNAT rule like this:

    Then for the "SRF-LAN" side my UTM is making the connection with it's LAN IP (and so it is routed through the IPSEC-tunnel) and not my SSL-VPN client.

     

    A very simple network plan of this scenario looks like this (the yellow things stand for the SSL/IPSEC VPNs).

     

    The scenario with the third party VPN-router is only a special version of the UTM handling SSL- and IPsec tunnels for itself. Then you won't add your SSL-VPN Pool to the SA of the IPsec tunnel, too. In that case the static IPv4 gateway route falls away, the SNAT would be the same.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Thanks for the detailed clarification.  Makes more sense now.

Reply Children
No Data