SSL VPN - can PING one device but not another

I'm troubleshooting an issue where remote computers connected through the SSL Remote Access VPN can reach one file server but not another one. The Remote Access VPN have IP: 10.242.2.0/24 and internal net is 192.168.2.0/24. In Network Protection -> Firewall -> Automatic firewall rules we have a rule that allows:

Sources: Active Directory Users

Services: Any

Destinations: Internal (Network)

On the LAN I can PING 192.168.2.12 and 192.168.2.13. From the VPN I can PING 192.168.2.12 but not 192.168.2.13. I can connect via SMB to 192.168.2.12 but not to 192.168.2.13. I don't need to PING but do need to map a drive from my remote Windows computer to the file server at both these IPs. I don't see any rules blocking 192.168.2.13. I'm not sure which logs can tell me whether the traffic is being blocked or passing through. How can I fix this so I can reach 192.168.2.13? 

Parents
  • Hi David and welcome to the UTM Community!

    My guess is that this is a firewall setting issue in the server at .2.13.  To check this idea out, see what happens when you make a NAT rule like

         SNAT : VPN Pool (SSL) -> Ping -> {192.168.2.13} : from Internal (Address)

    Results?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry, a bit confused. This is my first Sophos firewall but I'm familiar with networking and other firewalls so struggling here. This is a brand new client that we've taken on and the firewall is working fine but we're not fully up to speed yet.

    I've just added the first NAT rule here. We don't have one for the current working IP 192.168.2.12 and I assumed that's because the VPN is allowing any source to any destination and we don't need a NAT at all. I appreciate the suggestion but not sure I've configured this right. I'm here to learn and fix this and will take any suggestions you have.

    PS. I'm also trying to get access to the NAS to see if it has the default gateway assigned. I'm thinking it's *possible* that the NAS doesn't have the correct default gateway and doesn't know how to reply to the address. I don't know. It seems more likely that the issue is in the firewall but I'm willing to leave it all open.

  • Close.  'Change the source to: Internal (Address)' and leave the service change empty.  See #5 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you so much. The change didn't help and I'm still waiting for someone who can come on-site then let me connect to their computer to check the network settings on our NAS. I'll update this with what I find or if I have more questions.

    NAT rule image

  • The default gateway was the problem! The NAS at the office did not have a default gateway and didn't know how to get to the IPs used for the SSL VPN. I was PINGing from outside and not getting a response, added the default gateway on the NAS, and immediately started getting replies.

Reply Children
No Data