This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG210, remote SSL VPN users, accessing Azure SQL via UTM to Azure IPSEC tunnel

SG210 running 9.715-3 - Transparent mode

Hello all,

I'm trying to get our remote users to be able to access our Azure/tenant SQL instance, as if coming from the office. Presently we have to whitelist a bunch of user IP addresses to let them connect to the AzSQL server.

Note: we're in the midst of migrating to XGs FWs, however it will be a good month to do so.

What I've done so far:

* Established a tunnel from UTM to Azure via IPSEC. On the Azure side I have both the office (10.225.XXX.XXX) and SSL VPN pool (10.242.XXX.XXX) connected.
* Created SNAT rules for SSL VPN Pool traffic attempting to go through the tunnel to appear as coming from the the local UTM IP.
* whitelisted Azure networks and main office IPs within the AzSQL networking side.

Users that are local can connect to the server just fine; any user that is remote at home and connected via SSL VPN receives an error saying there was a timeout trying to connect.  If we do a "What's My IP" when they are connected via VPN it shows the office's public IP.  If we whitelist their own public IP in AzSQL they can connect to SQL without issue.



This thread was automatically locked due to age.
Parents
  • Hello there,

    Thanks for reaching out to Sophos Community

    When they are connected on SSL VPN what are the results of traceroute going to AzSQL? Also, are there any deny/drop log from the firewall logs from SSL VPN pool -> AzSQL?

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • A little more headway.  The tracert are as follows:

    VPN USER:

    tracing route to <one of MSFT's gateway/keeper IPs where SQL instance resides>

    1  X ms  Y ms Z ms  10.242.2.1         Our SSL POOL IP assigned to them.
    2      *        *        *         Request timed out.
    ...

    30  *        *        *         Request timed out.

    Local user:

    tracing route to <same as above>

    1  X ms  Y ms Z ms  10.225.X.Y         UTM internal LAN IP
    2  X ms  Y ms Z ms  Static IP of WAN Gateway
    3 ... 6   ISP's network
    7... X ms  Y ms Z ms MSFT IPs

    So to my newb eyes it appears that the SSL VPN subnet isn't routing traffic to/through the UTM.....

Reply
  • A little more headway.  The tracert are as follows:

    VPN USER:

    tracing route to <one of MSFT's gateway/keeper IPs where SQL instance resides>

    1  X ms  Y ms Z ms  10.242.2.1         Our SSL POOL IP assigned to them.
    2      *        *        *         Request timed out.
    ...

    30  *        *        *         Request timed out.

    Local user:

    tracing route to <same as above>

    1  X ms  Y ms Z ms  10.225.X.Y         UTM internal LAN IP
    2  X ms  Y ms Z ms  Static IP of WAN Gateway
    3 ... 6   ISP's network
    7... X ms  Y ms Z ms MSFT IPs

    So to my newb eyes it appears that the SSL VPN subnet isn't routing traffic to/through the UTM.....

Children