No access to email server while on SSL VPN

Options
Stephen
Stephen Posts: 14  Freshman Member
Friend Collector First Comment
edited April 2021 in Security
Hi all -

I have a USG110 set up with several static IPs.  Behind one of them is an email server.  When connecting via SSL (via SecuExtender), I can no longer access the email server.  From what I can see, the traffic is getting thru, but perhaps not back?  Has anyone else experienced this issue?
«13

Comments

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    If your connecting externally you would normally DNS to get the WAN IP of the email server.

    If you open up your SSL VPN rule and uncheck “Force all client traffic to enter SSL VPN tunnel” can you get to your Email server like that?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Stephen,
    Can you post the following command result and network topology for further checking?
    Router# show sslvpn policy
  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    @PeterUK - yep. Unchecking "Force all client traffic to enter SSL VPN tunnel" does seem to fix that.  That being said...is there a way to have both?

    @Zyxel_Cooldia -- do you want that run from the Console? I've had trouble getting that to run, so I'll need to get that fixed. 
  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2018
    Options

    Is your Email set with a NAT LAN IP? Like 192.168.1.10? if so and you have a NAT rule check NAT loopback.

    When you attempt to connect to your Email server are their any blocks to it in the logs?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Stephen,
    You also can run the CLI from the SSH access.

  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    @PeterUK - NAT loopback is set up. Yes, it's essentially a 192.168.1.10 like address.  It's set up as a 1:! NAT.  I see the traffic hitting the email server, but nothing seems to be transiting back. 
  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    In the above example, the SSL addresses are being given a 192.168.2.X address upon connection.
  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    @Zyxel_Cooldia -- sorry for the delay.

    <p>index: 1</p>
    <p>&nbsp; active: yes</p>
    <p>&nbsp; name: Stephen_SSL</p>
    <p>&nbsp; description: SSL VPN for Stephen</p>
    <p>&nbsp; user: stephen</p>
    <p>&nbsp; ssl application:&nbsp;</p>
    <p>&nbsp; network extension: yes</p>
    <p>&nbsp; traffic enforcement: yes</p>
    <p>&nbsp; netbios broadcast: no</p>
    <p>&nbsp; ip pool: SSL_VPN_USERS</p>
    <p>&nbsp; dns server 1: 0.0.0.0</p>
    <p>&nbsp; dns server 2: 1.1.1.1</p>
    <p>&nbsp; wins server 1:&nbsp;</p>
    <p>&nbsp; wins server 2:&nbsp;</p>
    <p>&nbsp; network:&nbsp;</p>
    <p>&nbsp; reference count: 1</p>

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2018
    Options

    DNS 0.0.0.0 ? I know there is a 1.1.1.1 DNS but don't think theirs a 0.0.0.0 as that IP is reserved.

    When you attempt to connect to your Email server are their any blocks to it in the logs? You may need a firewall rule as your connecting down the VPN for a WAN IP of your server with NAT loopback.

    Or as a test you could put in the host file of the PC/laptop with the Emails server LAN IP.

  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    Under the first DNS option, in the GUI, it's set to ZyWALL.  I'm not sure why it's showing up as 0.0.0.0. I've tried having 8.8.8.8 in there as well, but no success changing the DNS around. 

    No, I'm not seeing any blocks. I'm seeing it all forwarded.  I can see the computer hitting the email server as well. If I'm local on the network, the NAT loopback is working as expected. I'll experiment around with firewall rules later.

Security Highlight