Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 2726 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to pass the assigned VPN IP Address to Servers in the target network?

Xariom

Hello,

I have a problem I cannot solve on my own:

I need a IPSec VPN access to our network (192.168.0.0/24 ) behind our Sophos UTM (192.168.0.10). On our Network I need to access a certain server (192.168.0.90) with a fixed IP Address originating in this network (e.g. 192.168.0.111). This is due to the used protocols (DICOM) and a fixed configuration of the server and cannot be changed.

I defined a VPN Pool inside this network 192.168.0.111/32; the VPN Tunnel works and the connecting client says it got the IP Address as assigned, so far so good.

When accessing the server (192.168.0.90) as planed, the server gets the request from the IP Address of the UTM (192.168.0.10) and not from 192.168.0.111 as it should be. Without getting the request from 192.168.0.111 the server cannot answer to the request and it has to see the assigned address (192.168.0.111) and not the one from the UTM (192.168.0.10).

How can I change the behaviour of the firewall not to interpose itself in the communication?

Thanks a lot in advance for pointing me in the right direction!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Xariom said:
    When accessing the server (192.168.0.90) as planed, the server gets the request from the IP Address of the UTM (192.168.0.10) and not from 192.168.0.111 as it should be. Without getting the request from 192.168.0.111 the server cannot answer to the request and it has to see the assigned address (192.168.0.111) and not the one from the UTM (192.168.0.10).

    It seems you have a NAT rule present that is performing source NAT to VPN traffic.

    You can create a 'No NAT' rule on top for the traffic destined to the 192.168.0.90 server.

    Here is a sample snapshot for reference.

  • 0 in reply to FormerMember

    Hello Yash,

    thanks a lot for your answer. I tried it as suggested, but if I put a NAT rule like shown, I loose the connectivity to the server.

    The firewall logs show (written in white and not as usually in either red or green):

    17:23:53 NAT rule #1 TCP  
    192.168.0.111 : 54760
    192.168.0.90 : 8080
    		 
    [SYN] len=52 ttl=128 tos=0x00 srcmac=a8:4e:3f:17:04:b2 dstmac=c8:4f:86:01:2d:c1
    17:23:53 NAT rule #1 TCP  
    192.168.0.111 : 54760
    192.168.0.90 : 8080
    		 
    [SYN] len=52 ttl=127 tos=0x00 srcmac=c8:4f:86:01:2d:c0

    and the server is not reached. The originating port on the connected client is 22; the destination port is correct.

    Can you please help me with this, too?

    Thank you very much in advance.

  • FormerMember
    0 FormerMember in reply to Xariom

    Hi ,

    Could you please capture the packet flow in CLI?

    ==> Login to UTM shell

    utm:/root # tcpdump -nei any port 8080

    ==> Try accessing server from 192.168.0.111 and share session output here or in PM.

  • 0 in reply to FormerMember

    Hi Yash,

    thanks a lot for your answer. This is the result of the tcpdump as you asked:

    17:46:56.932278  In a8:4e:3f:17:04:b2 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:56.932919 Out c8:4f:86:01:2d:c0 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:57.936543  In a8:4e:3f:17:04:b2 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:57.937117 Out c8:4f:86:01:2d:c0 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:59.936233  In a8:4e:3f:17:04:b2 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:59.936729 Out c8:4f:86:01:2d:c0 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0

    I cannot any service on the server, when the nat rule is on. Once I put it off, everything works, but the originating IP Address is the one from the firewall as mentioned.

    Thanks a lot for your help!

  • 0

    Hallo and welcome to the UTM Community!

    In the future, it's easier to get answers if you provide a diagram even just a picture of a hand-drawn one.  Is this a site-to-site connection or are you using an IPsec remote access client?

    My guess is that you want to configure 192.168.0.111 as an Additional Address named Dicom on the Internal interface and then create a NAT rule with automatic firewall rules like:

         SNAT : Any -> Any -> {192.168.0.90} : from Internal [Dicom] (Address)

    Glück damit gehabt?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to Xariom

    Hi ,

    17:46:56.932278  In a8:4e:3f:17:04:b2 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:56.932919 Out c8:4f:86:01:2d:c0 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:57.936543  In a8:4e:3f:17:04:b2 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    17:46:57.937117 Out c8:4f:86:01:2d:c0 ethertype IPv4 (0x0800), length 68: 192.168.0.111.59657 > 192.168.0.90.8080: Flags [S], seq 1640063302, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0

    As per the packet flow, I can see that the requests initiated from 192.168.0.111 are being sent OUT to 192.168.0.90 with the original source IP, but there’s no reply coming back. I would to check a packet flow once on 192.168.0.90 server.

  • 0 in reply to BAlfson

    Hello Bob

    thanks a lot, that did the work. Thank you both for your help.

    Cheers Xariom

Unfiltered HTML