Configuration problem remote access to two networks

Hello

I run a UTM 9 and everything works quite well. But I have a question about a remote access configuration to two different networks over the same remote access connection.

Right now, I have a remote connection to the internal network (A) let’s say 192.168.23.0/24. This is accessible via the Sophos VPN Client and I can connect to the terminal server.

I also have a IPSEC connection to an external network (B) let’s say 10.10.100.0/24. The PC’s and Servers in B are member of the domain network of A and I can ping and RDP them from A.

My goal is to be able to have a remote connection to B as well and can RDP to a server in A and in B.

Sorry German speaker Slight smile

Can somebody help?

  • The easiest solution is to make sure that network B is also inside the Remote client VPN networks so the VPN client knows to send the traffic to the UTM.

    Also in the IPSEC tunnel between A and B the IP-network from the Remote VPN clients should be listed so site B knows to send traffic for your remote ssl clients to site A over the IPSEC connection.

    If that is not possible  than you can only create an SNAT rule in site A firewall. You must still make sure that site B's network is inside the remote VPN profile and you can create a SNAT rule:

    Traffic from: Remote VPN Network Pool
    Going to: Site B subnet
    Change Source to: Internal (Address)

    Also make sure to tick 'Rule applies to IPsec packets' under advanced with the NAT rule.

    That way you the firewall will change the source address from your remote VPN-users to be not 10.242.x.y but 192.168.23.x and that will travel to the firewall.


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • Hi

    I inserted the VPN Pool (SSL) into the local networks of the ipsec connection. Then I inserted a opened a second phase 2 on the other side (opnsense). The tunnel came up and all shows grenn on Sophos.

    Then I opened the Sophos VPN client and tried to connect directly to a server on net B. No success. But I still can connect to a server on net A.

       

  • Did you also include subnet for site B in "Local networks" for the SSL VPN profile?

    Edit: And you should of course also create a firewall rule to allow the traffic from VPN Pool to Site B network.


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • You may want to also tick 'automatic firewall rules' or manually create a firewall rule to allow the traffic.


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • You may also tick Auto firewall rules on the SSL VPN profile. There's 2 checkboxes, 1 with IPSEC and 1 with SSL VPN.


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • This is the situation. I took everything back to the original the basic configuration. Perhaps we can start from scratch?

  • Okay, between A and B there is a IPSEC site-to-site connection.

    SITE-TO-SITE CONNECTION

    From Sophos (A) configure the site to site like that this:

    Local networks:

    • Intern net A network
    • VPN Pool Network (probably 10.242.2.0/24)
    • maybe also Intern net C and D if necessary

    Remote networks:

    • Net SDL B subnet

    From Net SDL (B) configure the site to site like this:

    Local networks:

    • Net SDL B subnet

    Remote networks:

    • Intern net A network
    • VPN Pool Network from site A
    • if necessary Intern net C and D

    SSL Remote VPN

    Configure the SSL VPN profile on Sophos with the following subnets:

    • Intern net A
    • Net SDL B
    • if necessary intern net C and D

    That should at least bring up all the VPN connections. If you tick Automatic firewall rule on both IPSEC and Remote SSL VPN that should also allow all traffic between all the subnets in Sophos.

    Check all subnets for non-overlap

    You must also check that you have no overlapping subnets, so check:

    1. Local subnet at the Client who makes Remote SSL connection
    2. Intern net A
    3. Intern net C
    4. Intern net D
    5. Net SDL B

    None of these must overlap otherwise there will be routing issues. If you don't know whether or not there is overlap, than you can put the subnets in use here so we can check for overlap.


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • Thanks a lot this helped me a lot. Towgether with community.sophos.com/.../utm9-vpn-client-verbindung-mit-mehreren-netzwerken

    So connection is established. Only I get a dark screnn :_) But this is another issues now