Hi Community,
I have the following question. I created a Policy Based Site2Site VPN Tunnel between two Sites on an Sophos XG Firewall Appliance (Site A). I do not have control over the remote location (Site B).
I have three local subnets on Site A. Let's Say
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
Due to IP-Conflicts with SiteB I enabled "Network Adress Translation" in the IPSec VPN Connection end established the tunnel with the following NAT-Subnets
172.16.1.0/24
172.16.2.0/24
172.16.3.0/24
The networks are Natted as followed:
172.16.1.0/24 <=> 192.168.1.0/24
172.16.2.0/24 <=> 192.168.2.0/24
172.16.3.0/24 <=> 192.168.3.0/24
Lets say Site B has the Remote Subnet 10.0.0.1/32
Therefore we have the following SAs in the Final IPSec VPN Connection.
172.16.1.0/24 <=> 10.0.0.1/32
172.16.2.0/24 <=> 10.0.0.1/32
172.16.3.0/24 <=> 10.0.0.1/32
So far so good. Connection Established. Firewall rules created. Traffic flows from Site A to Site B.
Now, how does it work, when Site B tries to connect to a specific IP in Site A?
You cannot target an IP directly, because Site B only knows the Nated Subnets and not the actual subnets, the SiteA-Clients reside on. For example:
10.0.0.1 => 192.168.1.2 This will not work, because Site B has no route to 192.168.1.2.
So, should i instead use the NAT-equivalent: 172.16.1.2? Will this be automatically Translated to 192.168.1.2?
Or do I need to create an additional NAT-Rule for this specific Traffic to be directed to the actual IP?
I hope I made my problem clear. I was not able to find a solution. It would be great, if I could find help here.
Thanks alot!
Best Regards,
Olli
This thread was automatically locked due to age.
