To preface, here's a diagram of what I have in place and what I'm trying to do: https://i.imgur.com/MeD93VX.png
The design is not ideal, but I don't have the ability to manage the Sophos. (State gov entity, central location has authority on the device, and changes have to be requested.) So that's why I'm trying to get around having to outsource management for remote access. I should also note that there is a firewall rule on the SonicWall that disallows traffic between the production network and secondary network, for security purposes. For the purpose of my issue, you can ignore the LAN for the secondary network.
This is where I'm at currently:
SSL VPN is configured correctly off the SonicWall. (I've set VPN access up this way many times before, so I'm sure I've got it's right.) A NetExtender client on a PC outside the network will connect and authenticate with a domain account against my domain controller on the production network (P-LAN). Once successful, I get an IP address in my SSL VPN IP pool, and I can see that it has given the client a route to P-LAN, as well as DNS servers on the P-LAN, and the domain suffix. I can also ping the P-LAN gateway (165.X.X.1). And I see traffic on my SonicWall access rule from SSLVPN > P-LAN. And that's the extent of my success.
I can't ping anything else, access UNC shares, RDP, or contact other applications on different subnets from the central servers. I've been battling with this for a while, not sure what to do, until it occurred to me that there was probably an issue routing back from the Sophos to the 165.X.X.40 gateway, as the P-LAN interface IP on the SonicWall. So, I was finally able to get central to throw a static route in for me on the Sophos: https://i.imgur.com/cThhHWK.png
After getting that in place, I tested again and saw no change.
Next step in troubleshooting was to connect with NetExtender again and try to ping something on the P-LAN that wasn't the gateway, and view the Sophos logs. I did that, and this is what I saw: https://i.imgur.com/mQkaQHt.png (the source IP column showed the device I was trying to ping, sometimes the protocol was ICMP, but it still always showed firewall rule 0 as blocking everything, which doesn't exactly exist, apparently. I could also see when I attempted to RDP on port 3389.)
My networking skills are not as sharp as they should be, so this is the point where I've been lost at for the last couple days. I thought that the route would see the 10.1.1.0/24 destination and route it over the 165.X.X.40 address, so the traffic could get back out to the SonicWall, and then over the WAN to the client. What am I missing or doing wrong that it's not working as is? Does this communication require a new firewall rule? And also, why can I ping the production LAN IP (165.X.X.1) when connected remotely, but nothing else? And why can SSL VPN communicate and authenticate against my DC on the P-LAN?
Again, I know this design isn't the best, but I'm working with what I have and what I have access to.
Any help would be super appreciated. Thank you.
No comments:
Post a Comment