Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > VPN: Site to Site and Remote Access
Reload this Page Unable to access WAN addr space through SSL VPN tunnel
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 06-30-2009, 10:18 PM
Junior Member
  
Join Date: Jun 2009
Posts: 3
Default Unable to access WAN addr space through SSL VPN tunnel
Folks,

I'm trying an Astaro V7.403 and it seems to be unable to grant access to other hosts in the WAN address space because, when I put that CIDR into "Local networks" box this traffic is routed to my client's tun (correct), including the Astaro WAN's IP address (wrong), creating a routing loop at the client's box.

When I manually edit the openvpn.conf (I know it is an unsupported change) and add this...

Quote:
push "route remote_host 255.255.255.255 net_gateway"
...my Astaro pushes a route into my client's box, forwarding the Astaro's IP to the client's default gateway.

Is there any "authorized" way to solve this?

TIA,
d00b
Last edited by d00b; 06-30-2009 at 10:20 PM.
Reply With Quote
  #2 (permalink)  
Old 07-01-2009, 01:21 AM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,390
Default
Do I understand correctly that you are trying to offer SSL VPN Remote Access (not Site-to-Site) and that you want the clients to be able to access the Internet via the Astaro HTTP/S Proxy?
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #3 (permalink)  
Old 07-01-2009, 02:25 PM
Junior Member
  
Join Date: Jun 2009
Posts: 3
Default
Not really... We have a border firewall (no nat) and a couple of servers behind it, including the Astaro WAN. Behind Astaro we have the internal LAN. I'm trying to access these servers on the same address space of Astaro WAN, through the SSL VPN Remote Access, connecting from outsite (internet, border firewall's wan).

Do I make myself clear?
Reply With Quote
  #4 (permalink)  
Old 07-01-2009, 03:59 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,390
Default
Are the servers in the network on the external interface of the Astaro? If so, then you might try to resolve this by adding host definitions for those servers to the list of 'Local networks' for the SSL VPN.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #5 (permalink)  
Old 07-01-2009, 05:34 PM
Junior Member
  
Join Date: Jun 2009
Posts: 3
Default
Thank you, Bob, it solves the problem, but I'll need to update these definitions everytime someone puts a new server (or adds a new IP address) in the public segment.

My suggestion is to add an option to push to the client a route to the Astaro, to avoid a routing deadlock even when we set an IP range where the Astaro itself is part of.
Reply With Quote
  #6 (permalink)  
Old 07-01-2009, 08:41 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,390
Default
Yes, but you only have a total of eight (8) IPs in your DMZ. You might be able to just put 'Any' in 'Local networks'. That is the "standard" way to allow the VPN clients to reach the public Internet.

In fact, the preferred solution is to put the DMZ "behind" the Astaro and to assign private IPs to them. Assign the Public IP for each server to an 'Additional Address' on the External interface, and create DNAT's like 'Any -> [Services] -> [Public IP] : DNAT to [Private IP]'. In order to reach the servers via their FQDN from your internal network, add static entries in the Astaro DNS proxy or your internal DNS server.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Last edited by BAlfson; 07-01-2009 at 08:44 PM.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 04:53 PM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.