Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing Subnet with local NAT to Remote Subent through VPN Tunnel

Good Morning, 

i am looking for a routing solution for my network to a remote location.

We use a Sophos XG 18.0.5 MR-5 and i use a Site2Site Tunnel between two Subnets.
Head Office 172.17.5.0/24 and BO 172.26.176.0

Our local Subnet has 192.168.0.0/24 and 172.17.5.0/24 is VLAN 5. I have a routing from VLAN 172.17.5.0/24 to BO that´s fine.

I thought, if there might be an easyway to route the local Subnet 192.168.0.0/24 to the BO without the use of the VLAN oder changing the firewalls in BO.

In a fortinet Manual i found some option to do Site2Site Routing with a overlapping (same) Subnet in HO/BO.
They use a NAT Translation in HO and BO.

Is there any way to setup somethin in sophos?

Thanks

Jürgen



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey Jürgen, 

    Did you mean you want to NAT 192.168.0.0/24 (HeadOffice) network by any IP from 172.17.5.0/24 network to allow communication between Head and Branch without changing IPSec configuration ? 

  • Hi,

    i think this is what i want to do.
    Both Subnet´s are in HO.
    Allow Computers in 192.168.0.0 to reach the BO

  • FormerMember
    +1 FormerMember in reply to juergenb52

    Hey Jürgen,

    This is possible and a bit tricky. I got this working in a test lab as well.

    There are two things you'll need, 1) IPsec route 2) NAT Rule

    On the HeadOffice Firewall, Add a forced IPSec route through SSH (Optin 4 > Console) 

    • system ipsec_route add net 172.26.176.0/255.255.255.0 tunnelname <Tunnel_Name>

    Create a NAT rule on Head Office Firewall.

    • Source -> 192.168.0.0/24 | Destination -> Branch Network (172.26.176.0/24)
    • SNAT -> 192.168.0.5 (This could be any IP from 192.168.0.0/24. Traffic will get NATed by this IP, which is destined for the Branch network over IPSEC)

               

    After this, You'll be able to ping your BO network from the HO 192.168.0.0 Network

  • Thanks,

    i tried this, but i am not sure if i have an error or need an additional firewall rule

    I think that i might use a SNAT IP like 172.17.5.5 (BO is only acceting IP´s from this Subnet 172.17.5.0/24).

  • FormerMember
    0 FormerMember in reply to juergenb52

    Ah Sorry, I confused it with my test setup. :) 

    You're right, You'll need to add the IP from 172.17.5.0/24 subnet as BO is only accepting from that IP. 

    Let me know how the testing goes after making changes 

Reply
  • FormerMember
    0 FormerMember in reply to juergenb52

    Ah Sorry, I confused it with my test setup. :) 

    You're right, You'll need to add the IP from 172.17.5.0/24 subnet as BO is only accepting from that IP. 

    Let me know how the testing goes after making changes 

Children
  • Thanks,
    i got a Ping now from 192.168.0.x (HO) to BO (172.26.176.0/24).
    Bo is only accepting Traffic from 172.17.5.0/24 :-)

    I needed to a add a Firewall Rule to allow traffic from 192.168.0.0/24 to 172.26.176.0/24
    I added the ipsec_route 
    I create a NAT Rule like this

    Thanks for your help...