In https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/53527 , mrainey posed a question about doing: [home client] -> (SSL Remote Access) -> [ASG220] -> (IPsec Site-to-Site) -> [ASG120] -> [Terminal Server] He was unable to accomplish this without: adding the 'VPN Pool (SSL)' to 'Local networks' for the 'IPsec Connection' on the ASG220 creating a network definition on the 120 (SSL Pool on the 220) and adding it to 'Remote networks' for the 'Remote gateway' in the 120. This makes it appear like he needs to alllow the internal network of the 120 to access the 'VPN Pool (SSL)' on the 220. Is that an idiosyncracy of Terminal Server, or is there a flaw in my understanding?* Thanks - Bob *OK, OK, I know there are lots of flaws. [:D]

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic VPN question

In https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/53527, mrainey posed a question about doing:

[home client] -> (SSL Remote Access) -> [ASG220] -> (IPsec Site-to-Site) -> [ASG120] -> [Terminal Server]

He was unable to accomplish this without:

adding the 'VPN Pool (SSL)' to 'Local networks' for the 'IPsec Connection' on the ASG220
creating a network definition on the 120 (SSL Pool on the 220) and adding it to 'Remote networks' for the 'Remote gateway' in the 120.

This makes it appear like he needs to alllow the internal network of the 120 to access the 'VPN Pool (SSL)' on the 220. Is that an idiosyncracy of Terminal Server, or is there a flaw in my understanding?*

Thanks - Bob
*OK, OK, I know there are lots of flaws. [:D]

This thread was automatically locked due to age.

Parents

0 BAlfson over 14 years ago

"Bueller?….Bueller?….Bueller? ..." (from "Ferris Bueller's Day Off")

Are the resident VPN gurus too busy living the last days of summer?

The more I think about this, the more I think that Terminal Server must need to be able to initiate transactions with the client. Otherwise, why would it need to be able to see the 'Remote Access VPN Pool (SSL)' of the Astaro at the other end of the Site-to-Site IPsec VPN?

Or, is this a subtle routing issue?

Thanks - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 14 years ago

"Bueller?….Bueller?….Bueller? ..." (from "Ferris Bueller's Day Off")

Are the resident VPN gurus too busy living the last days of summer?

The more I think about this, the more I think that Terminal Server must need to be able to initiate transactions with the client. Otherwise, why would it need to be able to see the 'Remote Access VPN Pool (SSL)' of the Astaro at the other end of the Site-to-Site IPsec VPN?

Or, is this a subtle routing issue?

Thanks - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 dilandau over 14 years ago in reply to BAlfson

I'm not sure about your confusion on this issue Bob. In general traffic will only be routed over an IPSec site-to-site tunnel if both source and destination networks match exactly what is specified for the local and remote networks. That is why the remote ssl pool needs to be added to the local networks on the one side and the remote on the other, otherwise traffic to/from the ssl network will not be sent across the tunnel. Does that clear it up for you?
Cancel
Vote Up 0 Vote Down

Cancel