No access to email server while on SSL VPN

Options
2

Comments

  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2018
    Options
    see
    Stephen said:
    I can see the computer hitting the email server as well.

    so you can see the TCP SYN to the server and the server sending a SYN ACK ?  

    if you can see the three way hand handshake and more the issue might be with your Email server 

  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    Yes - a packet capture off the USG shows TCP SYN to the server and server sending SYN ACK back to the user/device.
  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    But not more then that? No ACK from user/device?

    So it looks like it tries to lookback but fails...

    Does the IP pool VPN not over lapping with another subnet?

    If your using the USG as the DNS in System > DNS you could add a Address/PTR Record with FQDN your Email server domain and IP Address the LAN IP of the server.

  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    Does not appear that way. 

    It was not, but I changed it to overlap with a subnet I know works and that did not fix anything. 

    I added the DNS record, also with no success.

    Just attempting a simple ping test - while sitting on the network (i.e. 192.168.1.33) attempting to ping the server (which I forgot to mention is on the DMZ) at 172.16.2.33 I can check email and ping the server.  The moment I turn on the SSL and take on a 192.168.1.250 address, the ping drops and email access drops. 
  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2018
    Options

    Did you point the DNS record to 172.16.2.33?

    what firmware are you on?

    So at the moment uncheck “Force all client traffic to enter SSL VPN tunnel” works but I guess you would like internet down the VPN.

  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2018
    Options

    Ok I might have a workaround which ping works down the SSL VPN to your server at 172.16.2.3 on the DMZ port.

    Firewall

    from SSL_VPN

    to DMZ

    source and destination any

    service any or ICMP or ping

    Routing

    incoming SSL_VPN

    member SSL_VPN

    source and destination any

    service  ICMP or ping 

    next hop

    type Interface

    Interface DMZ

    address translation

    source network address translation outgoing-interface

    You should now be able to ping from the SSL VPN to 172.16.2.3

  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    Okay - did all that. That comes back with:

    Warning message:<br>CLI Number: 3<br>Warning Number: 28005<br>Warning Message:&nbsp; 'Invalid gateway from Next-Hop interface. Policy route will not work.'
  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I get that error too but it works

  • Stephen
    Stephen Posts: 14  Freshman Member
    Friend Collector First Comment
    Options
    I lose all access to the internet when doing that. Not only can I not ping the device, I can no longer get any internet access.
  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2018
    Options

    Yes if you route with service any it does that so if you do destination IP 172.16.2.33 for the Routing rule that should allow internet on the SSL VPN and ping 172.16.2.33.


Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)