Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 1726 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access SSL - same ip network

rudy cox

Hi, I've setup Remote Access for 2 user

My lan is 192.168.1.0/24

Everything is OK if the user network is different than mine 

How to make it work if user network is the same as mine?

I searched everywhere but I did'nt found any documented solution to make it work

The only example I found is about to connect two UTM with the same network range (https://support.sophos.com/support/s/article/KB-000034290?language=en_US), but I don't know if it can be applied to my case....i tried, but no success. Can anyone help me please?

I created:

2 New Network definition:

FakeNetwork : 192.168.20.0/24

MyNetwork: 192.168.1.0/24

2 NAT 1:1

1:1 NAT MAP SOURCE: 

Traffic selector:  VPN Pool (SSL) -> any -> MyNetwork
Source translation:  FakeNetwork

1:1 NAT MAP DESTINATION

Traffic selector:   FakeNetwork -> any -> VPN Pool (SSL)
Destination translation: MyNetwork

Thank you for any help

Rudy



This thread was automatically locked due to age.
Parents
  • 0

    Hi there,

    you're talking about Client2Site SSLVPN (not Site2Site SSLVPN), right?

    In that case you need to configure the Fake Network as a target network in the VPN Profile,

    so that the UTM pushes a Route to all clients using that VPN. Otherwise the clients won't have a route

    to that "remote" fake network and they'll happily send traffic to their default gateway (being their own internet router)

    instead of routing it through the VPN tunnel to the UTM.

  • 0 in reply to Damon Dransfeld

    Thak you Damon

    I'm talking about MENU->REMOTE ACCESS->SSL

    my goal is to let each remote user to RDP their PC using VPN

    for a user whose network has a different ip range everything works

    The problem is for a user  whose network is the same

    So according to your suggestion

    =========

    under REMOTE ACCESS->SSL->PROFILE-> MyProfile I set:

    Users and Groups: [the user/users]

    Local Networks: FakeNetwork

    Automatic Firewall rules: ON

    =========

    under REMOTE ACCESS->Advanced I set:

    DNS server #1: [the local dns server ip]

    Domain name: [the local domain name]

    =======

    Now I have these network definitions:

    FakeNetwork : 192.168.20.0/24

    MyNetwork: 192.168.1.0/24

    VPN Pool (SSL): 10.242.2.0/24

    =======

    what I have to do under NAT?

    with the NAT 1:1 rules I created before it doesn't work

    Thank you

    Rudy 

  • 0 in reply to rudy cox

    Ciao Rudy - first time I've seen you here - welcome to the UTM Community!

    The real solution is to change the IP range in use by your LAN.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    +1 FormerMember in reply to rudy cox

    As per your query query, SSL VPN works fine for the users having a different home network than the office network. But not for the users who have same home network as office network.

    Office network: 192.168.1.0/24

    To provide resource access to these users, you've set up their SSL VPN profile with 'Local Networks' as fake network == 192.168.20.0/24

    As per the user profile configuration when a user connects to SSL VPN, a route to 192.168.20.0/24 network will be added to the client machine.

    To access 192.168.1.0/24 resources they need to initiate a request with a fake network.

    ==> For example: if they'd like to RDP to 192.168.1.5 then from client machine they need initiate RDP request on fake IP 192.168.20.5

    On UTM, you need to setup 1:1 NAT rule on top with below parameters.

    For traffic from: SSL VPN pool
    Using service: ANY
    Going to: 192.168.20.0/24

    1:1 NAT mode: Map destination
    Map to: 192.168.1.0/24

    Automatic firewall rule: On


    Hope this helps :)

  • 0 in reply to FormerMember

    YASH IT WORKS. FANTASTIC!!!! 

    Thank you, thank you, thank you, thank you

    Rudy

Reply Children
No Data
Unfiltered HTML